The Rippleshot Data Breach Blog

NY State Department of Financial Services: Cyber Security Report in the Insurance Sector

Written by Zach Walker | Mar 4, 2015 4:30:00 PM

Many have called 2014 “the year of the data breach,” which saw breaches affect retail organizations including Target, Home Depot, P.F. Chang’s and UPS. These data breaches combined for over 220 million exposed records in a period of just over 15 months. However, cyber criminals may have their sights set on a much more lucrative and untapped industry in 2015, insurance and health care providers.

In early February, news broke that a massive data breach had occurred at Anthem, the nation’s second largest health insurer, which put nearly 80 million of Anthem and various Blue Cross Blue Shield customers’ sensitive data at risk for theft. For those in the health care industry, the Anthem data breach is being compared to the wake up call retailers felt back in following the Target data breach.

Following the news of the Anthem data breach, the New York Department of Financial Services released its Report on Cyber Security in the Insurance Sector in an effort to better understand the cyber security measures currently being implemented at various insurers.  Due to the sensitive and valuable nature of the data health insurers possess, cyber criminals are looking to gain access to the protected health information (PHI) and personally identifiable information (PII) of its customers.

Introduction

We’ve taken a look at the New York State of Department of Financial Services’ report, and recapped the main takeaways ranging from corporate governance and reporting to cyber security incidents and breaches. Before diving into the detailed topics covered in the New York DFS’ report, it’s important to have a clear picture of these insurers and where they stand as an organization from a 20,000 ft. view.

 

Key Stats

  • 43 Insurance Providers Polled
    • 21 health insurance, 12 property and casualty, 10 life insurance providers
    • Combined Assets of $3.2 Trillion
    • Individual assets ranged from $4 Million to $403 Billion 

 

Management of Information Technology Systems

When looking at the 43 polled insurers and the management of their IT systems, as shown in Table 1, less than half of insurers ran their IT systems entirely in-house with 44% responding. While 56% relied on both internal and external resources to help run their IT systems.

 

Many organizations use third party vendors to help assist with day to day functions including such as HVAC, IT and other services, but this only increases the risk of unauthorized access to an organization’s data.  How an organization manages its IT systems is just the beginning to establish an effective information security framework.

 

Information Security Framework 

In the next section of the DFS’ report covering the need for information security frameworks, 98% of surveyed insurers reported having an information security framework already in place as shown in Table 2.

The New York Department of Financial Services considers a network security framework to include five key features: 1) incident monitoring and reporting; 2) risk management, including the identification of key risks and trends; 3) information security audits; 4) security awareness education and training for employees; and 5) incident monitoring reporting.

Another key takeaway from Table 2 is that 88% of the insurers surveyed have a communications plan in place to address stakeholders that may be affected by a data breach. With nearly 98% of insurers reporting that their organization has a designated communications officer to respond to any breach-related inquiries.

  

Use of Security Technologies

Now that we have a better understanding of how these insurers have set up their organization’s from a security standpoint, we can shift our focus to how insurers use a variety of security technologies to help protect themselves and their customers.

 

As shown in Table 3, the insurers surveyed currently employ security technologies ranging from encryption for data in transit, biometrics, firewalls and many more. In a reassuring sense, 100% of the insurers surveyed are currently utilizing anti-virus software, spyware/adware detection tools, firewalls, encryption for data in transit and intrusion detection tools.

Nearly all of the insurers listed that they use file encryption (98%), data loss prevention tools (98%) and vulnerability scanning tools (95%). We can’t stress how important it is for organizations to have a suite of security tools at their disposal to help combat against cyber threats.

 

Budget and Costs

With the average per capita cost of a data breach in the United States increasing 13% to $201 from 2013 to 2014, organizations are beginning to allocate the proper resources to information security budgets to combat new attack methods and threats. Just over 81% of those surveyed reported that their information security budgets have increased over the last three years and the other 19% stated that their information security budgets had remained the same.


In Table 6, none of the 43 surveyed insurers reported to dedicating more than 7% of their organization’s overall budget to information security, with 14% of insurers dedicating less than their 1% of overall budget to information security.  With nearly 86% of insurers expecting their information security budgets to increase in the next three years, coinciding with an increase in retail security budgets for 2015, while the remaining 16% expect no changes during the same period.

 

Corporate Governance and Reporting

Thanks to the New York Department of Financial Services and their report, there is a better understanding how these insurers use their information security budgets to employ a suite of security tools. But we still do not know how these organizations handle security issues internally and who is responsible.

 

In Table 8, we see that 81% of the insurers surveyed reported to having a designated information security executive. And of those organizations, 69% of said information security executives report directly to the chief information officer (CIO).  Despite having a dedicated contact to report to regarding security issues and concerns, the frequency in which these issues get reported varied by insurer.

For 86% of the insurers, senior and executive management receive updates on information security topics on a monthly basis. Unfortunately, only 14% of the surveyed insurers said that their chief executive officers are updated that frequently. For 53% of the surveyed insurers, their chief executive officers are updated on a quarterly basis and 60% reported that their CEO receives updates on an ad hoc basis.

 

Cyber Security Incidents and Breaches

The Anthem data breach was a watershed moment for insurers here in the United States and the customers they serve, with nearly 80 million customers affected due to a single data breach. Fortunately for the 43 insurers surveyed, 58% reported that they had not experienced any cyber security incidents in the last three years as shown in Table 10.

While those initial numbers may seem comforting over a three year period, its worth noting that 2% experienced anywhere between six and ten data security incidents and 5% reported more than ten breaches during the same time period. Diving even deeper, the report shows how these insurers are being targeted by cyber criminals the various techniques used to penetrate their IT systems as shown in Table 11.

 

 

These insurers reported seeing a wide variety of penetration techniques including malware (33%), phishing (23%) and through the use of botnets (21%).  Even with these penetration techniques, the surveyed insurers reported fewer negative effects following a data breach as a collective. When asked if any of the insurers suffered monetary damages directly caused by data breaches in the past 12 months, the majority of insurers had a similar response.


As shown in in Table 13, 70% reported suffering no financial losses or monetary damages in the past year, while 23% listed losses of less than $250,000, 2% reported losses between $251,000 and $500,000. For 2% of those surveyed [one insurer], monetary damages inflicted by a data breach in the past year was between $6 million and $10 million.

 

Planning for the Future

When looking to trends of 2015 and the future of information security, over half of the insurers believed that their current information security strategy adequately addresses both new and emerging risks. While another 14% stated that they would need to research new and emerging risks before making such a claim. The insurers were then asked to describe what barriers they face when trying to ensure their organization’s information security.

 

 

As seen in Table 14, the majority of insurers responded with two barriers that disrupt an organization’s information security framework. Both the increasing sophistication of cyber security threats (81%) and emerging technologies (72%) had the highest levels of responses followed by lack of clarity surrounding mandates, roles and responsibilities (9%).

 

Conclusion

Thanks to the New York Department of Financial Services and their thorough report on cyber security in the insurance sector, we’ve gained insight into an industry that has been thrown into the spotlight following the Anthem data breach. As information security experts continue to investigate and research emerging security tools, cyber criminals are working just as hard to develop new attack methods in never-ending game of Cat and Mouse.

To learn more about the current payment security landscape and which technologies are hoping to have an impact on the stats above download our Payment Ecosystem Whitepaper.