National Association of Insurance Commissioner — and Montana Commissioner of Securities and Insurance — Monica Lindeen said the NAIC’s Cybersecurity (EX) Task Force has adopted a cyber-strategy for insurers.
She said with the recent high-profile breaches, it is obvious risk these days is more significant since more consumer financial and health information is being stored electronically. The NAIC principles are aimed at — from an insurance perspective — making that data more secure.
“These principles will serve as the foundation for protection of sensitive consumer information held by insurers as well as insurance producers and guide regulators who oversee the insurance industry,” Lindeen said.
Titled Principles for Effective Cybersecurity Insurance Regulatory Guidance, the twelve principles direct insurers, producers, and other regulated entities to join forces in identifying risks and adopting practical solutions to protect information entrusted to them.
Click here to see the 12 principles.
But is insurance really the problem? And should we be aiming that direction to solve troubles with cyber-security? From a strictly insurance perspective, it’s hard to argue that direction is a bad thing.
The U.S. cyber-insurance market in 2014 doubled in size from $1 billion to $2 billion.
A report from Bloomberg View says that’s a huge increase, but what many don’t know is those policies may not provide the coverage needed for companies to be truly protected in the long term.
AIG’s new CEO Peter Hancock worries — like the Bloomberg View — there isn’t enough cyber-insurance capacity. Currently insurers are only covering a fraction of the cost of a breach.
“The largest coverage I’m aware of is for a bank that has about $400 million in coverage which is very small when you think about it. When you compare it to the amount of capacity that’s available for a complex chemical plant, refinery, offshore oil platform, the numbers are much, much higher,” he said.
Hancock used Target as an example. It had insurance but the breach cost the firm $252 million and only $90 million was covered by insurance. The result is a $162 million difference or 64%.
From there the argument says insurance merely solves the consequences. It does not take care of the security issues that have led to so many hackings and breaches.
Here’s what Bloomberg suggests:
• Increased government regulation for disclosure, so vulnerabilities can be analyzed and other organizations can be made aware of their limitations.
• Conducting thorough post-attack audits to fully understand what took place.
• Brokers helping to educate clients on their specific risk profiles, and guiding the implementation of defensive procedures.
A better understanding of cyber-attacks might be in order as well.
Negative publicity lately on the hacks of Anthem, Sony, Target and others lead many of us to believe that hackers are fairly well-funded and sit in front of their computers 24/7. While it’s true that many of them are well-funded, we think their success is because they’re sitting in front of their computers with sweat running down their brow and dig, dig, digging until they’re through the fire wall and into your precious data base.
This is so not true.
Most attacks are successful because an employee clicks on an email that has a bug in it, or the company doesn’t take care of that security patch it needs for a software flaw or the technicians setting up the system do not configure it correctly.
This is the conclusion of two well-funded studies by technology security company Semantic and Verizon. The Verizon report says of the 290 studies it did from 2014, 66% happened because of phishing.
It gets direr than that. The report notes that hackers can send a tainted email to as few as 10 employees of a firm and know that one of them will open it. The success rate for opening is 90%.
A report from Symantec said the same thing. It looked at state-sponsored hackers and found their success if from phishing, too.
By the way, cyber-crime jumped 23% in 2014. And those data breaches cross every line of business.
Experian is a security company. It says just a third of companies have adequate cyber-insurance and the biggest hole of all is in health care. “When combined with new Health Insurance Portability and Accountability Act (HIPAA) data breach compliance rules that require more notification, the healthcare industry is likely to make the most breach headlines within the year,” the Experian report said.
Christine Marciano heads the firm, Cyber Data Risk Managers and she’s anticipating a profitable future. “Companies are starting to become more aware of cyber insurance — that it exists and what it covers. It’s going to be about when a [cyber-attack] is going to happen, no longer if. I think my business will continue to grow because organizations will realize the risk is always going to be here, and they should have coverage for it.”
Meanwhile, until changes are made, you — the independent insurance agent — can benefit from the demand. And while you’re at it, make sure you’re protected, too. The PIA Western Alliance has cyber-insurance protection for you. Touch bases with PIA Western Alliance Director of Insurance Lisa Tucker at 888-246-4466, ext. 112.
Or you can reach her via email at email@example.com.
Source links: Three from Insurance Business America — link 1, link 2, link 3 and insurancejournal.com