Insurance, Finance Step Up Cybercrime Fight

WASHINGTON – The insurance and financial industries are stepping up the fight against cybercrime by urging more intelligence sharing and warning companies of the growing risks. Meanwhile, Anthem Inc., the second-largest health insurer in the United States, said hackers breached databases containing personal information for about 80 million customers and employees. It is likely the largest disclosed data breach in U.S. corporate history.

The Financial Services Roundtable today urged a Senate committee to pass legislation that would allow financial institutions to share threat intelligence with law enforcement officials and other industry members without facing potential legal repercussions.

“Each day, cyber risk grows as attacks increase in number, pace and complexity,” said Paul Smocer, president of the Financial Services Roundtable’s cybersecurity and technology think tank (BITS).

“Congress must enact legislation that incentivizes the sharing and receiving of cyber threat indicators among companies within sectors, between sectors and with the government,” Smocer said. He made his comments in testimony at a hearing of the Senate Committee on Commerce, Science and Transportation on “A More Secure Cyber Future: Examining Private Sector Experience with the National Institute of Standards and Technology (NIST).”

Smocer said that a recent report by Symantec found that the number of targeted spear-phishing campaigns, a key method used by cyber attackers to infiltrate victim’s systems to gather information, rose by 91 percent from 2012 to 2013. That method of targeting specific people was suspected in the enormous Sony hack last year.

“Another recent report estimated that as much as 15 percent to 20 percent of the nearly $3 trillion ‘Internet economy’ is extracted by cybercriminals,” Smocer said.

As threats continue to grow, Smocer said, “FSR members and the financial services industry as a whole have continued to increase investment in customer data security, with one firm spending as much as $250 million per year on its cybersecurity efforts.”

Smocer added that FSR believes strong comprehensive information sharing legislation would bolster steps already taken by the industry to thwart cyberattacks.

Smocer made his comments just a few days after the National Association of Insurance Commissioners named officers for its new Cybersecurity (EX) Task Force to monitor emerging cyber risks, their impact on the industry and whether regulatory action will be required.

The task force will coordinate NAIC efforts regarding: the protection of information housed in insurance departments and the NAIC; the protection of consumer information collected by insurers; and monitoring cyber-liability market, according to NAIC president Monica J. Lindeen.

“We're hoping to propose additional guidance to insurance examiners to assure the nation's insurers are using the best risk management practices available to manage their risk of cyber loss,” said Lindeen, who is also Montana Commissioner of Securities and Insurance.

The NAIC named Adam Hamm, North Dakota insurance commissioner, as chairman of the EX Committee. South Carolina Department of Insurance Director Raymond G. Farmer was appointed vice chair.

On Tuesday, the Securities and Exchange Commission released publications that address cybersecurity at brokerage and advisory firms and provide suggestions to investors on ways to protect their online investment accounts.

One publication, a Risk Alert from the SEC’s Office of Compliance Inspections and Examinations (OCIE), contains observations based on examinations of more than 100 broker-dealers and investment advisers.

The report said that most of the examined firms reported that they have been the subject of a cyber-related incident. A majority of the broker-dealers (88 percent) and the advisers (74 percent) stated that they have experienced cyber-attacks directly or through one or more of their vendors. The majority of the cyber-related incidents are related to malware and fraudulent emails, the report said.

Specifically, the report said that more than half of the broker-dealers (54 percent) and just under half of the advisers (43 percent) reported receiving fraudulent emails seeking to transfer client funds. About a quarter of those broker-dealers (26 percent) reported losses related to fraudulent emails of more than $5,000; however, no single loss exceeded $75,000, the report said.

“One adviser reported a loss in excess of $75,000 related to a fraudulent email, for which the client was made whole,” the report said.

A quarter (25 percent) of the broker-dealers that had losses related to fraudulent emails noted that these losses were the result of employees not following the firms’ identity authentication procedures, the SEC report said. The one adviser that reported a loss also noted that its employees had deviated from its identity authentication procedures, the report said.

InsuranceNewsNet Washington Bureau Chief Arthur D. Postal has covered regulatory and legislative issues for more than 30 years. He can be reached at [email protected].