A cybersecurity task force of the National Association of Insurance Commissioners (NAIC) has proposed a new insurance data security model law.

The initiative, introduced last month, establishes new standards for data security, breach responses and the roles of the regulator, the organization says.

“Because insurance is a data-driven industry, regulators must understand what data is being collected and for what purpose,” the NAIC said. “Today, regulators and companies have a need for data beyond what has been traditionally collected. But what regulators need is greater insight, not just more data.”

Early responses to the proposed law have been mixed, with other associations raising concerns about the law’s suggestion that insurance regulations be allowed to vary by state and variations in response allowed for jurisdictional commissioners.

After several high-profile hacks in 2015, the insurance industry and its regulators still are learning about the hackers aggressively hunting customer’s personally identifiable information (PII) data, financial records and medical histories.

Approximately 112 million health records were illegally accessed last year, according to the Office of Civil Rights for the Department of Human and Health Services. Most of those records were obtained in cyber attacks on Anthem in February 2015 and Premera Blue Cross in March 2015, in which a total of nearly 90 million records containing protected health information were compromised.

For insurers, standards are one thing, but having a well-managed information security program is another. New NAIC guidelines adopted by all states will greatly simplify the compliance and reporting process, says Amica Mutual Insurance’s CISO Gil Bishop. But that doesn't prevent breaches in the first place, he adds.

“One needs to be cautious to never simply equate compliance with effective security, regardless of the standard applied,” he says.

According to BakerHostetler’s 2016 “Data Security Incident Response Report,” 31 percent of breaches in 2015 were a result of phishing, hacking and malware, while another 24 percent resulted from mistakes by employees. The findings are based on more than 300 cases in insurance, education and financial services the law firm managed last year.

Hackers are not just seeking one kind of of data in their attacks; rather, all information is valuable to them. “They want whatever data they can monetize,” said Tom Dunbar, XL Catlin’s head of information risk management. “Executives better understand that breaches can happen to anybody. There is no such thing as 100 percent security, no matter the education or tech you throw at it. It is just a question of how we handle it, if it happens.”

Insurers witnessed a shift in interest by hackers from the financial sector to their industry two years ago, says Mark Ford, Deloitte’s leader of healthcare cyber risk services. The variety of data available to hackers at insurers makes them a very appealing target, he adds.

Currently, anti-malware and encryption stand as two of the best approaches by which insurers protect information, Dunbar says. Data loss prevention (DLP) tools also keep data from going anywhere it shouldn’t. But in theory, all lines of insurance are subject to hacks, Ford says. Insureds that have their life savings tied to investments instead of in a bank account put life/annuity companies at risk, while health data and medical histories, that provide a better overall picture of a persona for identity theft, endanger health providers.

While protecting data is a top priority, the industry is cautious about adding more security measures, including locks and controls around how data is transferred. The perception is insurers may not underwrite as much business if customers have to sign in to a site just to look at rates.

“It’s a mentality that really hasn’t changed that much in five-plus years,” says, Julie Bernard, head of Deloitte’s insurance cybersecurity team. “Budgets for security programs have gone up significantly in recent years, but it creates friction.”

Nonetheless, protecting data going forward may be directly tied to CISOs’ ability to adapt to the changing roles of the position. The CISO is now a salesperson, Dunbar says.

“The role of CISO is very business-driven now. There are so many avenues for hackers to come in that you can’t just focus on tech,” he said. "Yes, you will have a relationship with your CIO or CTO, but you need to understand the entire business and be able to talk to the CEO and the board as well.”

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access