Cyberattacks in the Insurance Industry: How to Protect Your Company and Your Clients
Like this Town Hall? Subscribe to our YouTube Channel.
Author:CSC Town Hall
Experts from Co3 and CSC recently discussed the impact of attacks on the insurance industry and how an effective incident response program can help you prepare for, respond to and survive an information security-related incident.
Got 5 minutes? Watch the highlights
- Gant Redmon, General Counsel and VP of Business Development, Co3
- Stephen Brennan, Global Technical Consulting Lead - Managing Partner, CSC
Jeff Caruso, Senior Managing Editor, CSC
Cyberattacks in the Insurance Industry
Insurance companies hold significantly more consumer data than ever, making them an attractive target for cyberattacks. As hackers become more sophisticated and insiders become bolder, insurers need to safeguard data that belongs to them and their clients.
Stephen Brennan, a managing partner and global technical consulting lead at CSC, says the insurance industry faces threats from all quarters -- casual hackers, agenda-driven "hacktivists," and organized attacks.
"Insurers are attractive for the private data they hold on millions of individuals and companies," Brennan says. "That data can be used for identity theft, or even in the case of North Korea, to commit insurance fraud that generates revenue for the government."
Brennan says the financial services industry has shown how working together has helped them collectively respond to threats. "Financial services has developed a number of responses to make them more secure - and they've done it as an industry, from new languages that protect transactions to working with industry experts to put attacks into context," Brennan says. "They've learned that while they all compete at a business level, no one standing in isolation is really safe."
Gant Redmon, general counsel and vice president of business development at Co3, says that developing an institutional memory with respect to attacks can help companies form a more proactive response to incidents. "You've got this IP address or this hash that stands out. It's an artifact of data that doesn't fit. Having a way to catalog those artifacts means that when you come across them again, you have a way of linking incidents and recalling how you dealt with them before," Redmon says.
A great deal of information passes between carriers and third-party providers of services that are part of the insurance value chain, which means that data is held by organizations with a wide range of security standards. Both panelists said that insurers should consider setting data security standards for vendors as a prerequisite for doing business.
"I like the idea of setting a standard for vendors," Redmon says. "Larger insurers are seeing a trend where they can't get subcontractors to accept liability for data breaches, which means they are taking on sole responsibility. Developing a trusted third-party standard means you can evaluate all your vendors against a common measure and drop those who don't comply."
Insurers have interactions with so many individuals and companies, they have a large "attack surface," Brennan says, which leaves them more vulnerable than many other industries.
"The way to handle that is by understanding not just security controls, not just security policies. More fundamentally, you need to understand who wants to target the company and what makes them a valuable target," Brennan says. "What influences their decision to attack that particular company? That's the only way you can develop an effective ability to respond to attacks."
Other topics discussed include:
- Steps insurers can take to ID customer vulnerabilities
- Priorities when a breach is identified
- Can you practice incident response?
- Incident response auditing
- Communication challenges following a breach
- Learning from past breaches
- Cybersecurity threats on the horizon