Guiding Insurance Professionals on the New Insurance Regulatory Guidance
In the wake of some of the largest data breaches to hit health insurance companies, the National Association of Insurance Commissioners has followed on the heels of the Securities and Exchange Commission and has issued “Guidance” on cyber security. In April, the Cybersecurity (EX) Task Force of the National Association of Insurance Commissioners (NAIC) adopted the Principles for Effective Cybersecurity Insurance Regulatory Guidance.
The Principles for Effective Cybersecurity: Insurance Regulatory Guidance looks to state insurance regulators “to ensure that personally identifiable consumer information held by insurers, producers and other regulated entities is protected from cybersecurity risks.” The guidance encourages insurers, agencies and producers to secure data and maintain security with nationally recognized efforts such as those embodied in the National Institute of Standards and Technology (NIST) framework. The NIST framework provides guidance on managing and reducing cybersecurity risk for organizations of all sizes, putting them in a much better position to identify and detect attacks, as well as to respond to them, minimizing damage and impact.
Producers, agencies and insurance companies could all be held liable for the loss of Protected Health Information (PHI) and personally identifiable information (PII) of prospects and clients, such as a person’s full name, date of birth, address, and Social Security number.
The basic function of the NIST Framework consists of five functions, each divided into subcategories, as well as standards, guidelines and best practices. A security consultant who specializes in threats and cybersecurity can assess your network and help you secure your network using the NIST Framework and other standards. Whomever you work with should be familiar with common threats targeting the insurance industry, as well as the tactics, techniques and procedures attackers are using around the globe.
NIST Five Functions
Function 1: Identify
Identify your assets and risk so you can prioritize your security efforts. The first thing you’ll need to do is conduct a risk assessment to identify all your information assets, such as client lists, business strategies, marketing information, and client data. Then rank each of them according to their values, from very low to very high, to help you focus on protecting the high-value data. You’ll also need to do a vulnerability assessment to see what systems and company Web-facing applications are weak. Your assessor can help you rank the likelihood and probability of a threat exploiting certain vulnerabilities, and can assess your internal and external network controls, policies and procedures, gaps compared to regulations, and best practices.
Function 2: Protect
Once you know your information assets and their values, you can gauge your resources accordingly and decide what measures to take to protect them. Not only might you need security devices and software, you’ll need people to continually operate the devices. Many organizations erroneously believe that they can buy a security solution to protect their networks from intruders. However, all cybersecurity protective devices (firewalls, instruction protection/ detection systems, unified threat management appliances and others) need to be consistently configured, managed and updated with the latest patches—as long as the update won’t harm the network. Once you buy a protective device, you need a human being for it to operate to its best ability. No matter what any security vendor says, all protective devices need consistent human interaction. There is no device that works automatically after plugging it into your network. Numerous breaches have occurred because people were not properly operating protective devices. When devices are not properly and consistently configured, hundreds of alerts go off and are ignored. Then the story becomes “The Boy Who Cried Wolf.”
Function 3: Detect
Although you could have hundreds of preventive controls to prevent security incidents, some will still occur. That’s why it is important to be able to detect any anomalous activity as quickly as possible to get any attackers out as quickly as possible to prevent or lessen any damage. To spot attacks quickly, you need to monitor your network traffic and your endpoints (servers, workstations and laptops) 24 hours a day. It takes about 48 days for most organizations to recognize they’ve been breached, according to the 2013 survey report “Post Breach Boom” by the data security research center, Ponemon. However, when your network is continuously monitored, you can spot anomalous activity as soon as it occurs. In addition to monitoring your network, you also need to have detection systems on your endpoints (servers, laptops and workstations) that are also continuously being monitored. That allows you to see any anomalous activity on them so you can stop the attackers before they traverse the network.
Function 4: Respond
The sooner you recognize you’ve been breached, the sooner you can get the attackers so as to minimize the damage. The longer attackers are in your network, not only do you lose more and more data, it becomes more difficult and costly to get the attackers out. Getting attackers out of your network takes a lot of expertise that most organizations don’t have. Less than half of respondents to the Ponemon Post Breach survey said their organizations have the tools, personnel and funding to prevent, quickly detect and contain data breaches. While your organization can try to respond to a breach on its own, unless it has a full-time security team that works with threats day in and day out conducting incident response engagements, has a global view of the threat landscape, and is familiar with certain patterns attackers make in networks, it may not be able to remove the entire threat. If it removes all but one trace of the threat, the attackers could still be hiding inside the network. To fully remove the threat, it often takes the expertise of a team that has handled hundreds of engagements and is familiar with the tools, techniques and procedures attackers use. The average time to resolve a cyberattack is 45 days, with an average cost to participating organizations of $1,593,627 during this 45-day period, according to the 2014 Cost of Cybercrime Study: U.S. by Ponemon. That long time span and high cost can be greatly reduced if you understand the attackers and the ways they work. Professional incident response (IR) teams that conduct IR engagements full time could get attackers out in hours or days compared to weeks. Security companies offer IR retainer contracts that guarantee experts can be onsite within 24 hours to begin remediating a breach when necessary, and that you get discounted rates, usually saving you about $100 an hour. Without a retainer, it could take an organization a few days to select an IR team and for one to become available. The sooner you get the attackers out, the less cost overall. Results from the Ponemon 2013 Cost of Cybercrime Study: U.S. show a positive relationship between the time to contain an attack and organizational costs incurred from business disruption, data loss, recovery costs and legal costs. The total annualized cost of cyber crime in 2014 ranges from a low of $1.6 million to a high of $60.5 million.
Function 5: Recover
Recovering from an attack takes planning long before your network is breached. You should have a Business Continuity Plan in place, as well as policies and plans in place to run your website and network from another offsite location. You should always keep hardware backups of your data each day. A security consultant can work with you to help you decide how much and what data needs to be backed up, as well as what critical systems and components are essential to your organization’s success. The recovery function helps you restore capabilities and services that were impaired. All these decisions need to be made before a crisis.
Although independent agents probably won’t have a network to protect, at the very least they should take applicable steps to secure their computers. They need to ensure privacy of their prospects’ and clients’ personally identifiable information (PII), including addresses, dates of birth, Social Security numbers, health data, and insurance policy information. They should ensure their computers are password protected so an intruder would be unable to access data on it. They should also use a private network at home and a virtual private network (VPN) whenever connecting to a public network. Using a public network at a coffee shop or restaurant makes you easy prey for attackers to snoop and see everything you are doing on the network. They can see all the sites you visit and everything you type on an online site, such as your login credentials. The right VPN will encrypt all traffic so even if attackers manage to snoop on your online activity, all they would see would be unintelligible gibberish.