NAIC: Cybercrime Response Needed to Stem Millions in Losses
The insurance industry is losing tens of millions of dollars annually to cybersecurity breaches and officials want to do something about it.
The National Association of Insurance Commissioners’ “Consumer Cybersecurity Bill of Rights,” is expected to be finished in the coming weeks. The document will then be disseminated to consumers, Adam Hamm, chair of the NAIC’s Cybersecurity Task Force, said Thursday.
Portions of the Cybersecurity Bill of Rights are also expected to find their way into the NAIC model laws and eventually into state statutes, Hamm also said during a discussion on data breaches hosted by Center for Strategic & International Studies in Washington, D.C.
Hamm didn’t elaborate on which parts of the Cybersecurity Bill of Rights would make it into the NAIC’s model laws, but the association is taking into account industry feedback filed during the comment period earlier this summer. Cybersecurity is seen as one of the biggest threats facing businesses across the spectrum.
Hamm, the North Dakota insurance commissioner, used Thursday’s forum to update the industry on steps the NAIC is taking with regard to the protecting consumers and the industry from network attacks.
In addition to the Cybersecurity Bill of Rights, Hamm said the NAIC has updated carrier examination protocols to find out how prepared insurance companies are to handle data breaches.
“The challenge for cyberrisk management for insurers goes well beyond that of other businesses,” Hamm said. “Today’s criminals target insurers because they keep personal, financial and health information.”
On Wednesday, Excellus BlueCross Blue Shield in Rochester, New York, announced it had been the target of a data breach affecting 10.5 million records.
In March, Boston-based health insurer Premera Blue Cross announced it had been the target of a breach affecting financial information involving 11 million customers.
Indianapolis-based Anthem Inc. earlier this year mailed letters to as many as 80 million customers whose data might have been compromised in separate data breaches affecting its subsidiaries in different states.
The regularity with which companies are being targeted has even caused Wired to proclaim 2015 as the year of the health insurer data breach.
In an industry governed by state regulations, developing a national framework to deal with data breaches is a priority for the NAIC.
As many as 47 statutes govern how the state-based insurance industry must respond in the event of a cyberattack.
While there remain variations among the different laws, the core message to insurers remains the same across all states, and “as of now, we’re not seeing anything moving toward pre-emption,” of state laws by federal regulators, Hamm said.
During a panel discussion, representatives from the U.S. Treasury Department and the Department of Homeland Security (DHS) outlined the holistic steps they are taking to coordinate responses across government agencies and network risks.
Taking an enterprise risk management approach to fighting cybercrime is critical, said Suzanne Spaulding, undersecretary for the National Protection and Programs Directorate at DHS.
The staccato of network breaches affecting retailers, government agencies and insurers over the past three to four years is a sign that data networks are under attack every day, according to the security experts invited to speak on the panel.
Many attempted intrusions are being repelled by commercially available technologies like antivirus software, officials said. But when a company admits a breach, it’s often because management has only recently discovered the intrusion, which may have taken place months ago.
Network security experts say the supply chain is a frequent entry point for data breaches. The retailer Target, for example, suffered huge losses from an intrusion traced to a vulnerability affecting an HVAC contractor.
All of which makes it difficult for insurance regulators who strive to deal with insurers that meet the highest security standards, to feel comfortable when dealing dozens of carriers doing business in their respective states.
“We as regulators are looking at insurers to have a certain standard,” said Wisconsin Insurance Commissioner Ted Nickel.
Jake Olcott, vice president of BitSight Technologies, a Massachusetts company that develops security ratings scores similar to a FICO score used to evaluate consumer borrowers, said standards of care remain a fundamental issue among insurers.
International standards like ISO 27001 or the National Information Sharing Standards offer examples of good security practices, but the data technology changes so fast that it’s hard to keep up, other security experts on the panel said.
Olcott, however, also faulted states for underinvesting in information technology and data network protection. “Clearly, there’s been underinvestment at the state level,” he said.
A report issued in February by the New York Department of Financial Services found that 98 percent of 43 life, health and property-casualty insurers surveyed reported having some form of information security framework in 2013-14.
The survey also found that 98 percent of insurers employed data loss prevention tools, 98 percent employed file encryption and 95 percent used vulnerability scanning tools in the same two-year period.
The majority of insurers — 70 percent — reported suffering no financial loss in the past 12 months as a result of the network breaches, and 23 reported suffering losses of less than $250,000, the survey also found.
One institution reported a loss of between $6 million and $10 million, the survey revealed.
Hamm said that as part of the NAIC’s push for a cybersecurity framework, information about carrier losses from network breaches would be published in the association’s annual report beginning in the first quarter of next year.
Loss information related to claims, the name of insurance companies, raw numbers, solvency issues and loss trends will be included in the annual report’s cybersecurity supplement.
Smaller Insurance Companies Keeping Pace Among Top 20 Carriers
Schwab Survey: RIA Mergers & Acquisitions up by 28 Percent
Advisor News
- Regulator group aims for reinsurance asset testing guideline by June
- Bessent confirmed as Treasury secretary
Former hedge fund guru to oversee Trump's tax cuts, deregulation and trade changes
- Jackson National study: vast underestimate of health care, LTC costs for retirement
- EDITORIAL: Home insurance, tax increases harm county’s housing options
- Nationwide Financial Services President John Carter to retire at year end
More Advisor NewsAnnuity News
- MetLife Among the World’s Most Admired Companies by Fortune Magazine
- Aspida and WealthVest Announce a Suite of New and Enhanced Indices for Their WealthLock® Accumulator Product
- Brighthouse Financial Inc. (NASDAQ: BHF) Sees Notable Increase in Tuesday Morning Market Activity
- Hexure Integrates with DTCC’s Producer Authorization, Providing Real-Time Can-Sell Check within FireLight
- LIMRA: 2024 retail annuity sales set $432B record, but how does 2025 look?
More Annuity NewsHealth/Employee Benefits News
- 'Floridians need to pay attention.' Are we prepared for federal cuts to our health care?
- New New York state tax credit for small businesses introduced
- How did health insurance coverage changes affect older adults? Two new studies take a look: Michigan Medicine – University of Michigan
- Montana House approves pay raises for state employees, legislators
- Montana Medicaid: How Trump and GOP-led Congress could alter health care for thousands
More Health/Employee Benefits NewsLife Insurance News
- Legals for January, 31 2025
- Automatic Shelf Registration Statement (Form S-3ASR)
- Best’s Special Report: Impairments in US Life/Health Insurance Industry Jump to 10 in 2023
- AM Best Maintains Under Review With Developing Implications Status for Credit Ratings of Solidarity Bahrain B.S.C.
- AM Best Maintains Under Review With Developing Implications Status for Credit Ratings of First Insurance Company
More Life Insurance News