The insurance industry is losing tens of millions of dollars annually to cybersecurity breaches and officials want to do something about it.
The National Association of Insurance Commissioners’ “Consumer Cybersecurity Bill of Rights,” is expected to be finished in the coming weeks. The document will then be disseminated to consumers, Adam Hamm, chair of the NAIC’s Cybersecurity Task Force, said Thursday.
Portions of the Cybersecurity Bill of Rights are also expected to find their way into the NAIC model laws and eventually into state statutes, Hamm also said during a discussion on data breaches hosted by Center for Strategic & International Studies in Washington, D.C.
Hamm didn’t elaborate on which parts of the Cybersecurity Bill of Rights would make it into the NAIC’s model laws, but the association is taking into account industry feedback filed during the comment period earlier this summer. Cybersecurity is seen as one of the biggest threats facing businesses across the spectrum.
Hamm, the North Dakota insurance commissioner, used Thursday’s forum to update the industry on steps the NAIC is taking with regard to the protecting consumers and the industry from network attacks.
In addition to the Cybersecurity Bill of Rights, Hamm said the NAIC has updated carrier examination protocols to find out how prepared insurance companies are to handle data breaches.
“The challenge for cyberrisk management for insurers goes well beyond that of other businesses,” Hamm said. “Today’s criminals target insurers because they keep personal, financial and health information.”
On Wednesday, Excellus BlueCross Blue Shield in Rochester, New York, announced it had been the target of a data breach affecting 10.5 million records.
In March, Boston-based health insurer Premera Blue Cross announced it had been the target of a breach affecting financial information involving 11 million customers.
Indianapolis-based Anthem Inc. earlier this year mailed letters to as many as 80 million customers whose data might have been compromised in separate data breaches affecting its subsidiaries in different states.
The regularity with which companies are being targeted has even caused Wired to proclaim 2015 as the year of the health insurer data breach.
In an industry governed by state regulations, developing a national framework to deal with data breaches is a priority for the NAIC.
As many as 47 statutes govern how the state-based insurance industry must respond in the event of a cyberattack.
While there remain variations among the different laws, the core message to insurers remains the same across all states, and “as of now, we’re not seeing anything moving toward pre-emption,” of state laws by federal regulators, Hamm said.
During a panel discussion, representatives from the U.S. Treasury Department and the Department of Homeland Security (DHS) outlined the holistic steps they are taking to coordinate responses across government agencies and network risks.
Taking an enterprise risk management approach to fighting cybercrime is critical, said Suzanne Spaulding, undersecretary for the National Protection and Programs Directorate at DHS.
The staccato of network breaches affecting retailers, government agencies and insurers over the past three to four years is a sign that data networks are under attack every day, according to the security experts invited to speak on the panel.
Many attempted intrusions are being repelled by commercially available technologies like antivirus software, officials said. But when a company admits a breach, it’s often because management has only recently discovered the intrusion, which may have taken place months ago.
Network security experts say the supply chain is a frequent entry point for data breaches. The retailer Target, for example, suffered huge losses from an intrusion traced to a vulnerability affecting an HVAC contractor.
All of which makes it difficult for insurance regulators who strive to deal with insurers that meet the highest security standards, to feel comfortable when dealing dozens of carriers doing business in their respective states.
“We as regulators are looking at insurers to have a certain standard,” said Wisconsin Insurance Commissioner Ted Nickel.
Jake Olcott, vice president of BitSight Technologies, a Massachusetts company that develops security ratings scores similar to a FICO score used to evaluate consumer borrowers, said standards of care remain a fundamental issue among insurers.
International standards like ISO 27001 or the National Information Sharing Standards offer examples of good security practices, but the data technology changes so fast that it’s hard to keep up, other security experts on the panel said.
Olcott, however, also faulted states for underinvesting in information technology and data network protection. “Clearly, there’s been underinvestment at the state level,” he said.
A report issued in February by the New York Department of Financial Services found that 98 percent of 43 life, health and property-casualty insurers surveyed reported having some form of information security framework in 2013-14.
The survey also found that 98 percent of insurers employed data loss prevention tools, 98 percent employed file encryption and 95 percent used vulnerability scanning tools in the same two-year period.
The majority of insurers — 70 percent — reported suffering no financial loss in the past 12 months as a result of the network breaches, and 23 reported suffering losses of less than $250,000, the survey also found.
One institution reported a loss of between $6 million and $10 million, the survey revealed.
Hamm said that as part of the NAIC’s push for a cybersecurity framework, information about carrier losses from network breaches would be published in the association’s annual report beginning in the first quarter of next year.
Loss information related to claims, the name of insurance companies, raw numbers, solvency issues and loss trends will be included in the annual report’s cybersecurity supplement.