5 Information Security Best Practices for the Insurance Industry
December 3, 2021
Compared to 20 years ago, modern business professionals are living the good life. Advancements in cloud computing and digital storage capabilities have allowed organizations to automate tasks and integrate data, saving both money and time. For insurance professionals, whether they’re agents, carriers, MGAs, or MGUs, the recent multi-billion dollar investment in insurtech has created efficiencies we could once only dream of. However, with great technology comes great responsibility.
With large amounts of data now stored online, hackers no longer have to break and enter a physical location to steal data. In 2020 alone, the United States reported nearly 4,000 data breaches. These data breaches and other cyber attacks not only compromise the personal information of millions of individuals, but they also end up costing a lot of money! An estimated $10.5 trillion worldwide by 2025, to be exact! Think you’re safe because you’re just a small agency? Even small businesses suffer an average of $25,000 in losses annually at the hands of cyber criminals.
The insurance industry runs an even greater risk when it comes to IT security due to the high volume of sensitive and valuable data necessary to perform daily operations. In the wrong hands, the large amount of personal data that an insurance company, agency, or brokerage houses could be used for anything from credit card fraud to identity theft. With insurance industry businesses increasingly relying on web-based platforms to store and communicate customer data, proper IT security is more important than ever.
Some recent, high-profile insurance industry information security incidents include:
- Chicago-based CNA Financial Corp., which is one of the largest insurance companies in the U.S., was targeted by hackers and locked out of their network: a practice known as a “ransom attack.” To regain access and control of their information, CNA reportedly paid the hackers a $40 million ransom.
- International insurance industry giant AXA fell victim to a distributed denial of service (DDoS) attack that targeted its Asia Assistance division. The attack was linked to a known ransomware gang and may have even been a deliberate response to news that AXA planned to drop coverage for ransomware payments from its cybersecurity policies.
- Geico Insurance, one of the largest auto insurance providers in the U.S., was the subject of an ongoing data breach. In this incident, hackers gained access to customer accounts and stole drivers license numbers over the course of several months.
These examples are scary. And the truth is, they are just some of the largest and most public instances of cyber attacks on the insurance industry. Luckily, your organization doesn’t have to be a sitting duck. There are steps you can take to mitigate IT security risks and give yourself and your clients greater peace of mind.
Here’s a list of five best practices every insurance carrier, agency, and MGA/MGU can implement now to minimize the risks of an attack happening.
Not sure where to begin with ensuring your data is secure? A simple start is by enabling multi-factor authentication (MFA) on all your accounts and devices. MFA is just a long way of saying that you need more than one way to prove your identity before gaining access to a system.
Once MFA is set up, all users will be required to enter one-time code, or token, along with their regular password. MFA often uses text messaging or email, and can also function with an app like Google Authenticator. Think of MFA as an additional password that only you know. Or, at least someone would have to have physical possession of your phone or access to your email account in addition to your password, which reduces the chances of improper access. This provides an extra layer of protection to your clients’ data, And since the code is different every time, even hackers who may have guessed your password won’t be able to get into your accounts without a second form of authentication.
IT security training requirements
Added to payroll? Check!
Desk assigned? Check!
Welcome lunch? Check!
IT security training? Wait what?
If you don’t already have IT security training as a part of your employee onboarding process, now’s the time to add it. According to an industry report, 47 percent of business leaders cited employee error as the leading cause of a data breach at their organization.
Without training, employees might not think twice to leave their computer or important documents unattended. While some amount of employee negligence is unavoidable (nobody’s perfect!), implementing proper security training during employee onboarding and throughout the year can lead to a significant decrease in human error.
Limit or split data access across employees
Like any valuables, you shouldn’t keep important customer data all in one place. For example, you may want to store customers’ names and addresses in one database, their Social Security numbers in another, and their personal health information in yet another separate database. In doing so, you’ll make it more likely that in the event of a security breach, no one person or database has enough information to pose a threat.
Of course, splitting up data itself isn’t the entire answer. This can only work if each source of data has different passwords and login requirements. It also helps if different employees have limited access to only the data they absolutely need to know in order to perform their jobs. Having these “walls” in place, so to speak, helps contain the damage of a security breach if one does happen.
Keep software and data up-to-date
Often hackers target the software companies whose applications your business uses to store customer data. These security breaches can feel out of your control, but there is a simple way to mitigate the risk. With IT security threats on the rise each year, software companies are continuously updating their own security measures, meaning it may be time to install that software update you’ve been putting off for weeks. Once you’ve updated your software, it may also be a good time to update your data. Is your company still housing sensitive data files that are no longer needed? Cleaning up your systems and devices can lessen the damage caused by a security breach – both by preventing it to begin with, and by protecting the data of people and companies that no longer need to be in your system at all.
Know your risk
The optimism bias is a logical fallacy that leads individuals to believe they’re at a lower risk of something bad happening than the average person. When it comes to data breaches, the same thing applies. It’s easy to think you’re free from the threat of a cyber attack, especially if your company has never been affected by one (that’s actually the gambler’s fallacy). In reality, those who think “it won’t happen to me” are more likely to let their guard down, which could allow security threats to slip in through the cracks.
Stay alert and be aware of any suspicious emails, calls, or links you receive. If you find yourself unsure whether a link or email is fraudulent, it’s always better to be safe than sorry. Double-check with others at your organization (particularly your IT or information security department) before clicking or acting on anything suspicious, and warn others if you do uncover a possible scam.
Make a plan
Along with these tips, it’s a good idea to create a plan of action for your organization to follow in the event of a cyber attack to reverse the damages and prevent further harm from being done. If you’re part of a larger insurance company, this responsibility likely does not fall to you. If you’re an agency owner or principal, it might. Either way, knowing the standard operating procedures in the event of a suspected or confirmed cyber attack is key to acting quickly in the event one takes place.
With IT security threats becoming increasingly common, taking the necessary precautions could end up saving your company’s reputation, finances, and most importantly, your customers’ personal information.
While no prevention is 100 percent guaranteed, it’s amazing how many companies simply don’t take any precautions, thus making a hacker’s job that much easier. When you follow these best practices, among many others, you can reduce the probability of a successful cybersecurity attack on your company.
If you’re into cybersecurity, AgentSync is built on a security-first platform. See our demo in action.