U.S. legislation, Russian war, escalating damages; cyber insurance is evolving by the minute, and both insurers and insureds need to take a forward approach to staying atop digital asset protection trends.
Before we really get going on our subject matter, we aren’t your lawyers, nor are we your IT! If you’re concerned about network security, this may help you get started, but this isn’t a comprehensive list of what to do for your organization. This isn’t where you cut costs: Hire an IT person, get a consultant, examine your security, do what it takes to protect your data!
What we need to protect and why
Insurance is an industry generally predicated on data, both in aggregate and individual formats. Data in aggregate informs practices such as actuarial models for how to appropriately underwrite and price a policy. Individuals’ personally identifying information is part of underwriting as well as premium payments, claims processing, and producer management.
For insurance companies, this involves client, producer, and employee data such as:
- Bank account or credit card information
- Social Security numbers
- Name, address, date of birth
- Personal data such as likes, dislikes, and other CRM data
- Personal and family health histories of life insurance consumers
All this (often unstructured) data is the meat and potatoes of the industry, but when we fail to adequately protect it, we are risking:
- Personal identity theft – this is perhaps the most common concern, that someone’s personally identifiable information will be exposed in a way that leaves them vulnerable to having their money stolen or things like credit cards being opened in their name.
- Proprietary espionage and public exposure of private company intel – having your business’s “secret sauce” on recruitment or product exposed could be a major liability.
- Data manipulation – not all cyber attacks are obvious, and increasingly data protection professionals are raising concerns that a cyberintruder might augment an organization’s data in some way without the business knowing or understanding what has changed.
- Ransom – a digital hostage situation can lead to dollar losses in addition to lost time, lost trust, and generally a feeling of unease that, after one incident, things won’t ever be the same.
- Scorched-earth data loss – if you have a hacker torch your digital infrastructure, you could face a total business shutdown for as long as it takes to recover or rebuild the lost data.
- Reputational harm – If any of the above happen, you’re looking not only at hard financial costs to remedy the situation but extensive, and possibly unquantifiable, reputational costs if your organization ends up in the headlines from a security incident.
In an environment where your business may be 100 percent online, protecting your data as much as possible should be very near the top of your to-do list.
Basic protections and cybersecurity best practices
This is a moving target: As businesses beef security, cyber criminals work to evade new protections.
Generally, current industry preventative standards are trended toward zero-trust architecture, which is the basic premise that each login from each user will be treated as a net new login no matter how many times they have logged in previously. Some current security best practices:
Basic security updates
If the applications and cloud-based services you use are working through outdated software and hardware, then it doesn’t matter how forward-thinking the parent company is. While constant reminders to update can be annoying, updates frequently address security vulnerabilities of older versions.
Keeping your hardware and software on the leading edge isn’t just about being ahead of the tech curve – it’s also imperative to basic cybersecurity hygiene.
Multi-factor authentication, also known as MFA, means each login from a user – even a user who has logged in many times – requires multiple points of authentication. For example, a common MFA method is a login that requires a one-time password (OTP) sent via text or email in addition to your standard username and passcode.
MFA has quickly become a standard of protection for many industries. For many digital denizens and those hooked up to the internet of things (IoT), this MFA standard and its OTPs are commonplace for everything from bank logins to managing your toaster.
Phishing prevention and physical security with employee training
You’re only as good as your people, and that includes your cyber vulnerabilities. Your employees are one of your biggest security liabilities (some studies point to more than 90 percent of data breaches coming from employee error). But, with the right training, you can help them be part of a strong cybersecurity defense.
Employees are the front line of preventing phishing and malware or ransomware downloads, as well as being the front line of physical security.
Physical security needs include informing employees about threats like tailgating, where someone unauthorized sneaks onto company property behind an authorized person with a keycard. Another threat prevention: Having a clean-desk policy. This doesn’t mean you call the health department over clutter (although sometimes coffee cups grow stuff, it is known). Rather, it means any visible sticky notes or paperwork are free of sensitive information, and any sensitive data is locked away during lunch breaks and, the end of the work day, and any time someone leaves their desk location even for a moment.
Keeping your people invested in your organization’s security is critical to maintaining data integrity. It’s also important to facilitate best security practices in a convenient way that employees won’t hate and try to avoid.
Proactive threat assessment
Do you know who can access what data at your insurance business? And do they need that information to do their job? For instance, can your creative team members access your producer Social Security numbers? If yes, do they need to? (That’s a negatory, good buddy.) This also applies when someone moves from one role to another internally. An employee who historically needed access to sensitive information may no longer, and performing periodic access audits can prevent employees from being grandfathered into access they no longer need.
Are you using any software or service providers in the known exploited vulnerabilities catalog? For those who take a Jets-and-Sharks approach to Apple vs. Microsoft, you’ll notice plenty of both brands’ products on the list. If you’re operating any of the listed softwares, make updating to a newer version a priority, or re-evaluate your needs.
Scrutinize your third-party vendors – third-party vulnerabilities are your vulnerabilities.
Proactively review your digital needs and scrub old and outdated tech, update training, reassess the access needs of team members, and re-evaluate your protocols.
If you’re ready to step up your game, consider getting an outside auditor to assess your gaps and vulnerabilities, and ask the same of your third-party vendors. At AgentSync, one of our security protocols is to have an SOC 2 Type I Report conducted regularly by an outside firm to both help us stay ahead of the game and validate our security for our partners.
Because of Russian cyber activity, the U.S. government has issued guidance for prevention called “Shields Up.” Like a Greek phalanx, by each industry tackling their own security concerns, everyone’s network is stronger as a whole. The Shields Up guidance covers four basic areas: prevention, detection, proactive response formation, and maximizing resilience.
Preventing a cyberthreat
CISA guidance regarding resilience is similar to the best practices outlined above:
- Multi-factor authentication
- Up-to-date software
- IT personnel disable nonessential ports
- Strong controls for cloud services
- Use CISA’s free cyber hygiene services
Detecting cyber incidents
The earlier unusual activity can be detected, the faster it can be contained and damage can be prevented. Guidance from the government for detecting cyber threats includes:
- Cybersecurity personnel scan for unusual behavior
- Confirm antivirus and antimalware
- Anyone working with Ukrainian organizations take extra precautions to monitor internal controls and behaviors
Proactive response formation to threats
No one wants to think about being hacked or exposed to ransomware, but the businesses that are best equipped to respond to threats are the ones that have prepared in advance. CISA’s guidance includes:
- Designate crisis response team with main points of contact for business continuity
- Identify surge support and assure availability of key personnel
- Drill and practice
If you’ve put basic controls and procedures in place, then even the best can get better through testing and proactively assessing their resilience:
- Test backup procedures and network connections
- Test industrial control systems and manual controls
- Review the CISA Russia-specific vulnerability bulletin
Cyberinsurance as the defacto regulator
The reality, as the White House recognized earlier this legislative season with a call-to-arms of sorts for insurers, is that these basic best practices are a long ways from being the norm. But that’s something cyberinsurers have the power to change.
Thanks to comments in the Insurance Journals’ cybersecurity panel toward the close of March, it looks like that change is coming rather quickly as insurance carriers re-evaluate their data in light of Russian hack attacks. While Congress and the White House have started to prioritize cybersecurity in their legislative packages, currently there is no legal standard across the nation for cybercrime prevention.
In many ways, that has placed insurance carriers that sell cyberinsurance as the defacto regulators of the space: By setting the bar for what preventative measures a customer has to meet before being issued a policy, insurers are enforcing what constitutes basic cyber hygiene. Insurance carriers by and large have become increasingly aware of this as the cost of each incident rises.
This is an area of evolution for the industry, certainly, but it’s one where insurance carriers have the opportunity to drive the conversation and continue to prove their value. Even carriers whose actuarial models are based on underwriting data from the last decade may need to evaluate how relevant the information is moving forward, as some insurers have seen the systemic risks of cyber policies move from typical business risks to catastrophic losses.
Third-party and vendor hygiene
One area that may be overlooked – to great risk! – is the security and preparedness of third-party vendors and any down- or upstream partners. After all, if you’ve looked at the known exploited vulnerabilities list from earlier in the blog, you may recognize that, no matter how hard you’ve worked to protect your business, if your vendor or software has fallen asleep at the wheel, it’s gonna be a bad time.
So, both at the point of purchase and on a periodic basis, be diligent in assessing your partners and software vendors, asking them to validate their security standards and thoroughly reassure you of their cyber hygiene practices. Are they limiting their data access to a need-to-know basis? Do they have insurance? If so, does this mean they are required to maintain some level of cybersecurity hygiene to maintain it? Do they audit their security?
Unfortunately, as tech makes the human experience cooler and, in some cases, way simpler, there are also new complications. At AgentSync, our products are built on a zero-trust architecture. We are more than happy to take a deep dive into our own security protocols with prospective customers and partners. If you’re interested check out our demo.