As hacking events have increased in number and severity, we in the cybersecurity community have united around common strategies that all organizations can implement to reduce their risk. Universal best practices provide organizations with many useful tools to protect their businesses. But what often gets overlooked in these discussions are the unique security challenges that each industry faces, and the tailored solutions required to address those issues. This is an area of interest to me, and lately I’ve been fascinated by the path that the insurance industry is carving out when it comes to cybersecurity. Today, I’ll discuss recent activity by the U.S. insurance industry and the ramifications and impact of these initiatives. In future weeks, I’ll offer my insights into how other industries are confronting rising security and compliance risks.
Before we dive in, let me provide a little context into why I think we should segment out insurance as an area of focus. While in many people’s minds, the insurance industry is considered simply a sub-sector of the financial services sector—nothing could be further from the truth. For those not as familiar with these important nuances, it’s important to point out that the insurance market has its own business needs, technology requirements and adoption cycles, and buyer personas as compared to banking and capital markets. Products (security-related or otherwise) that might resonate with a banker or IT professional in banking may not be relevant to an insurance buyer, just as products that the insurance buyer finds valuable may not appeal to the banking and capital markets. It’s therefore imperative that we take stock of the insurance market’s efforts and endeavors when it comes to protecting insurers, their customers, and their data.
Aligning behind a cybersecurity framework in a fragmented, state-by-state regulatory environment
In the last few years, the U.S. insurance industry has taken several steps to work on cyber issues. The most obvious example is the recent moves by the National Association of Insurance Commissioners (NAIC) to promote their Insurance Data Security Model Law. This model legislation establishes a legal framework to guide state governments as they consider enacting laws to require insurance companies to implement cybersecurity protections. In general, the NAIC has become more outspoken on cybersecurity issues (see, for example, their 2015 Cybersecurity Bill of Rights) and has been working to ensure a consistent approach within the U.S. market.
If we look at these various activities, a few key points emerge that I think are valuable and worth keeping track of in the coming months:
- Less consumer data to build profiles—Can you remember the last time you engaged with your insurance company or even used their online website? If you are like most consumers, you probably only engage your insurer when a problem arises (think flood, car accident, theft, etc.). As insurers work to improve their overall security stance, it’s worth remembering that most insurance companies don’t typically have as much ongoing engagement with their consumer clients. This lack of ongoing engagement means that insurers struggle to build strong and reliable profiles about consumers’ devices, identities, typical sign-in activity, and usage. Banks and credit unions, on the other hand, have tremendous amounts of data about their consumers and much of that is due to the fact that consumers make ongoing use of their online and/or mobile banking technologies throughout the month or even the week.
- Fraud and security divergence—Like banking, insurance suffers from a blend of fraud and security concerns. However, those fraud concerns are dramatically different than what the banks contend with. Insurers typically worry about things like policies that are opened without someone’s knowledge, policies that are fraudulently cashed in, manipulation of elderly customers, and more. While there is sometimes an overlap with security issues, for the most part these fraud trends are not directly tied to data breaches, etc. Security issues, therefore, oftentimes compete with fraud issues for attention and resources.
- Fragmented regulatory environment—Unlike banks and credit unions, insurance companies in the U.S. are not as heavily regulated at the federal level. For the most part, they are regulated by state agencies and therefore engage in a more complicated set of risk-related discussions if they do business in multiple states (as most of them do). This causes insurers to be much more challenged in adopting consistent cyber-prevention strategies as it relates to regulation. While the insurers have CISOs and strong security teams in-house, those teams oftentimes are working to address internal consistency issues having to do with risk management or with overall risk appetite.
- CISO broader focus—It’s no surprise that the CISOs of insurance companies continue to adopt an approach that emphasizes taking a broader risk management view of their business, and they typically communicate openly with their CEOs and boards about cyber risk. However, their particular challenge is that insurance company senior leadership uniquely understands the notion of risk and may at times downplay or take for granted cybersecurity-related risk issues. This makes the CISO’s job inherently more difficult as the CISO is effectively “competing” for attention and may at times be forced to stack-rank the risk that they are highlighting against the risk that other peers on the senior leadership team may be highlighting (for example: liquidity risk, credit risk, etc.).
Stay current on the rapidly changing insurance sector security landscape
The state-by-state adoption of laws that are similar to or overlapping with the NAIC Insurance Data Security Model Law will continue at an unpredictable pace. As of this writing, over a half dozen states are debating these rules and determining the best way to apply the NAIC’s law while also weaving in coverage from the 2017 Cybersecurity Regulation from the New York Department of Financial Services (which overlaps significantly with the NAIC law). And as we move into a post-GDPR world and consider the California Consumer Privacy Act from this past June, it will be intriguing to see how insurers and banks take their cues from one another and also continue to promulgate laws unique to their own industry needs. If you are interested in staying current on these issues, you can monitor the NAIC website. And look out for future blogs from me where I’ll discuss other industries dealing with cybersecurity and compliance challenges.