One word that scares insurance executives, from CEOs down to network administrators is “hacked.” The loss of data and an inability to run the company website are bad enough, but the reputational risk is even more of a stain for the enterprise.

By Michael P. Voelker

Insurers of all sizes face ever-expanding risk in cyber security, including new threats, increased regulation, and a burgeoning amount of data. Information that was once considered locked behind corporate firewalls is now spread across the extended enterprise thanks to cloud computing, mobile, and other distributed technologies, creating challenges for even the most seasoned security professionals.

“The whole perimeter is now gone,” says Thomas Dunbar, senior vice president and chief information risk officer, XL Global Services. “There are so many third parties you share data with and so many ways in and out of your infrastructure, that it’s a huge challenge to constantly monitor [your security] to be sure you have the best protection.”

The hard-dollar cost of a data breach is one component of risk. “We can figure out worst case scenarios,” from a cost standpoint, says Kirk Herath, vice president, associate general counsel, and chief privacy officer, Nationwide Insurance Companies.

“It’s a pretty easy formula: the number of records at risk times what would it cost to mail notification responses, the percentage of people who would take credit monitoring and protection, and the scalability concerns associated with a large breach, such as the need to rent a service center” during the remediation period, Herath adds.

According to research by the Ponemon Institute, the breach cost per record is $188. Insurers who underwrite cyber liability coverage also have their own experience with customers’ data breaches. In the latest study by NetDiligence of cyber claims paid by insurers, the average claim was $954,253, which included legal settlement, legal defense, and crisis service costs.

“There are also the cost of forensics to assess the cause of loss. Then, you’re likely to get a class action suit you have to defend and, because you do business in a highly regulated industry, you’re likely to get investigated by regulators and need to retain outside legal counsel,” Herath says.

However, the hard-dollar cost is only part of the loss companies face. “You can recover financially from a breach, but you have to worry about what it will do to your reputation,” Dunbar says. “Reputational risk comes up constantly in our company’s overall risk program, but it’s tough to calculate. There’s not a specific technology or tool out there that will solve reputational risk.”

“Reputational risk is the multiplier of multipliers,” Herath says. “Reputational risk is very real, and it also tends to excite the fear centers of our brains. That fear is the reason why most of us actually spend the money we do [on security].”

“The challenge with reputational risk for insurers is the unknown,” says industry analyst Jamie Bisker. “Customers may say, ‘yes, this company gave me a good insurance deal, but they notified me of a breach and I had to monitor my credit for weeks afterward.’ It makes them very nervous.”

Defense in Depth

“We’re not different from other companies in that we consider a number of different scenarios in cyber risk,” Nationwide’s Herath says. “That can include both external and internal threats as well as risks generated through partner and vendor relationships. It can range from individual associates and agents up to entire companies that we do business with.”

“All firms are at risk,” says Mike Money, director of information security and privacy at global security consulting firm Protiviti. “There are threats through email phishing attacks, malware, advanced persistent threats, social engineering, viruses, keystroke loggers, and others.”

Although P&C insurers may not deal with the amount of customer medical information or financial data as do their counterparts in life and health insurance or banking, the risks companies face regarding loss of private information are just as real. Regulations continue to broaden the scope of what constitutes personally identifiable information (PII) that companies are bound to protect. Insurers also contend with state regulations that levy penalties and fines even if no loss has occurred, such as through wrongful data collection.

“Some states have very active AGs [attorneys general]. I feel many fund their departments solely through fines and penalties,” says Mark Greisiger, president of NetDiligence, which provides cyber risk assessment services. “They come after you for the smallest of breaches.”

Ash Raghavan, principal in Deloitte’s enterprise risk services focusing on cyber risk in the financial services sector, sees the risk for insurers growing in a “post-digital” world defined by wide-scale adoption of cloud computing, mobile technologies, social media, and big data.

“Insurers are collecting more information on customers,” Raghavan says. “Some are using telematics to get information about driver patterns and driver behavior. Many are making their distribution channels more effective by providing deeper customer analytics. They are capturing other information potentially construed as sensitive by customers or regulators. They need to understand all these customer interactions, what data is being shared, where it is stored, and who is accessing it.”

Cloud technologies present new security exposures, contractual agreements that favor cloud providers if a breach does occur, and risks associated with data aggregation of many insurers using the same cloud provider. Mobile technologies create new endpoint control challenges. At the same time, the sophistication of attackers continues to grow.

“The attackers aren’t necessarily persons or even groups of persons. They are machines,” says Bryant G. Tow, partner, Vaco Risk Solutions. “The time it takes to compromise an unprotected computer on the Internet is 60 seconds because it involves machines hacking on machines.”

Attacks aren’t just automated; they’re increasingly organized by criminal groups and geo-political forces bent on cyber terrorism. “Our biggest concern right now is what you would call nation-state hacktivists,” Herath says. “Just the asymmetry of a potential attack compared to available defenses is overwhelming. An organization with nation-state level spending can attack with far greater strength than any individual private actor has the capability of defending. They can simply throw so much at you that they are likely to win.”

Nationwide would know. On October 3, 2012, a portion of the computer network that is used by Nationwide and Allied Insurance was breached by an unidentified criminal perpetrator. Over one million individuals’ names and Social Security numbers, driver’s license numbers, dates of birth, employer information, and other identifying information was compromised. 

Herath couldn’t comment on facts of the case with litigation surrounding the breach still in progress, but stressed that no evidence has come forward that any information stolen in the attack has been misused. Nationwide offered individuals a free credit-monitoring and identity theft protection product for one year as part of its response to the incident.

Nationwide, like most insurers, continues to fend off organized cyber assaults. “We look at where the attacks are coming from our log data, and they are from all over the globe,” Herath says. “Some are from the U.S., but a lot are from Eastern Europe, Asia, and Brazil, feeling us out and trying to determine if we are ripe for the picking.”

Starting with Strategy

Insurers need a defense-in-depth strategy that includes technology, processes, and people. Technological defenses remain the strongest—or at least the most controllable—link in the chain. NG (next-generation) firewalls, intrusion detection, and data loss prevention are essential safeguards for any insurer. However, with the variety of tools available, companies need to know which solution best fits their risk management strategy.

“Having an overall strategy is the biggest thing missing at some companies because they look at the tools first,” says Tow. “The good news, however, is that board-level staff and senior management understand the need to improve programs. They are asking for cyber security updates and are willing to allocate the budget and resources to security.”

Dunbar reports that his department has solid backing from upper management. “I report to XL’s chief enterprise risk officer and I have his support, as well as internal audit support and the support of the CEO,” he says.

As part of its defense-in-depth security strategy, XL has focused on the risks of mobile technologies. All mobile devices, including company-issued phones and USB drives, are encrypted. XL’s portal infrastructure also incorporates controls that restrict the download of data to only approved and encrypted devices, and data loss prevention (DLP) software monitors all data that moves outside the organization.

A growing risk for insurers in the world of mobile is the increased demand for bring-your-own-device (BYOD) from users. XL uses mobile device management software to provide containerization of potentially sensitive data on user-owned endpoints.

“A big risk with mobile devices is that users can move data insecurely on the device once they’ve received it. We require users to install mobile device management software on their device if they want to receive XL email or other information,” Dunbar says.

In addition to providing proactive control through containerization, the software also allows XL to wipe data from a device if it’s lost. “It puts more restrictions on the individual regarding how they can use their device, but we feel it is an essential control,” Dunbar says.

People and Processes

Technology may be the strongest link in the cyber security chain, but it is only effective if it’s used consistently and correctly. Bad practices at the organizational level can thwart the best technology controls.

“Companies fail at the basics,” says Greisiger. “Whether it’s a large company or small, the amount of private information that we find companies putting on laptops and other devices with hardly any controls or encryption is amazing.”

Recently, Horizon Blue Cross Blue Shield of New Jersey notified its customers that, during the first weekend of November, laptops were stolen from the company’s Newark headquarters. Those devices may have contained the personal medical information of nearly 840,000 customers. In its notification to customers, Horizon reported that the laptops were password-protected and cable-locked to employee workstations—but the devices were unencrypted. (Horizon did not respond to requests to comment for this story.)

A company’s cyber risk management process needs to include not only consistent use of technological controls, but also what to do when—not if—there is a breach.

“Even if you suffer a loss, it doesn’t mean you weren’t doing the right things,” says Greisiger. “We see companies with very good security measures and millions of dollars in security budgets get hit. Every company needs a public relations strategy.”

“Getting in front of [a breach] and keeping people informed is a better response than trying to keep it under wraps. Public relations should be a key part of a proactive risk management plan,” says Money.

A company’s risk management process also needs to consider the variable that is most difficult to control: people. “The perimeter is no longer the firewall. The perimeter is the person,” says Tow.

“People are under attack who are not IT and security professionals. They are everyday users,” Money says. “Companies struggle with how to make them aware of security without swamping them with technology,” he says.

Nationwide’s security program includes what the company calls “Associate as Firewall.”

“Associates’ behavior in their capacity both as employees and private individuals presents certain risks,” Herath says. “If we can train them on how to behave safely, both at work and at play on the Internet that helps us reduce some of the most obvious risks.”

In addition to network controls, encryption, and other corporate-level safeguards, Nationwide has made a commitment to providing cyber security technology to the end user. The company, which uses MacAfee software on all end points on its network, provides the software to its employees to install on their own personal devices.

Nationwide also includes online data protection tools to its customers in its identity theft coverage product. The tools, provided through Europ Assistance USA, include DataScrambler to prevent keystroke logging and PhishBlock to warn users against phishing sites and attacks.

“We are trying to encourage better behavior,” Herath says. “The theory is that if we give people the tools to protect themselves, that they will be more secure in their own space. The vast majority of individual account takeovers are a result of people getting phished or downloading spyware that steals their passwords and IDs.”

XL Group has focused on creating a culture of cyber security. “You have to work on behavioral changes. You have to give [employees] not just the tools, but also the training to remind them that we are only as strong as they are,” says Dunbar.

Training is just one part of a comprehensive program. “Most organizations have security training they do on an annual basis, but just providing training isn’t effective,” says Raghavan. “In order to push a change in user behavior, you need to establish an awareness campaign. We are starting to see organizations have those campaigns—newsletters, intranet sites, lunch and learns—rather than just point-in-time exercises.”

In addition to providing quarterly training to employees, XL issues frequent security bulletins, sends email blasts on security topics, puts up security-focused posters throughout its offices, and has an internal blog on security topics. The company also performs ongoing evaluation of its security controls, including internal phishing password strength testing, and presents the findings to colleagues.

The results are often eye opening. “We show employees what a phishing email looks like and superimpose all the clues that should have tipped them off,” he says. “We show them that if it sounds too good, it probably is. We teach them to take the extra two seconds to mouse over links to see the true source before clicking on them.”

Counting the Cost

Companies may say they can’t put a price on reputation, but the fact is the technology, processes, and training that are all part of effective cyber security come at a price that must be weighed against risk and budget realities.

“When we look which insurance companies are not doing as well at the strategic level, it’s the mid-tier. The big boys have CISOs and technology and all the things necessary to have at least a semblance of security,” Tow says. “Mid-tier insurance companies are a target-rich environment for organized criminals and nation-states. Those companies may not have the budget for a full-time CISO, but they still need the capability to determine strategy, policy, and technology.”

However, Tow says the cyber security scenario is continuing to improve. “The attention level that security is getting is growing due to increased numbers of headlines in the mainstream media on breaches. Companies have a better understanding of the need for diligence around applying the same methodologies for protecting and insuring risk for clients to their own cyber security. It’s getting better.”

“We’re looking at new technologies all the time. The question is how much security is enough and what is the right type of security,” Dunbar says. “It’s constant vigilance.”

--

Sidebar: Physician, Heal Thyself

Cyber insurance is a booming business for insurers. According to the 2013 Betterley Report, the cyber/privacy insurance market is a $1.3 billion business—up from $1 billion the year prior. In Zurich’s 2013 Cyber Liability Risk Management Survey, more than half of the respondents reported purchasing cyber liability insurance—the first time in the history of the survey this has surpassed the 50 percent mark.

With all that activity, the question arises of whether insurers with experience from underwriting the coverage are leveraging that experience in their own risk management efforts around cyber security.

“The answer to that is it’s inconsistent,” says Ash Raghavan, principal in Deloitte’s enterprise risk services. “Some organizations do have that line of sharing, others are working through it, and some are just getting started.”

“The insurers that write it [cyber] are not nearly as well protected as many of their clients,” observes Stephen Applebaum, senior analyst covering P&C insurance at Aite Group. “There is this irony that underwriting doesn’t talk to claims and claims doesn’t talk to underwriting, so the area of ‘cross pollination’ appears from my exposure to be fairly limited.”

XL Group’s Thomas Dunbar, senior vice president and chief information risk officer, says that his department does work with underwriting around cyber risk.

“As underwriters have put together questionnaires for companies in order to gain an understanding of what their security programs look like, we’ve helped them with the question set. We help them know what basic questions to ask and, based on the answers, what questions to ask after that,” he says.

“Likewise, we’ve taken what underwriting has learned and strengthened our own security team. We supported each other,” he adds.

--

Pullquotes

“The perimeter is no longer the firewall. The perimeter is the person.” Bryant G. Tow, Vaco Risk Solutions.

“Reputational risk is the multiplier of multipliers.” Kirk Herath, Nationwide Insurance Companies.