Two months ago, if someone were to Google search for a subsidiary of one of the nation’s largest bond insurers, they could find information about its corporate structure, access annual reports, and read about their history. However, due to a simple misconfiguration of a database server one could also discover a wealth of private consumer account numbers, balances, and internal administrative credentials. While this particular issue was resolved before malicious hackers seized the opportunity to acquire consumer information, it also generated several headlines and created distress for the reputation of the company in question. This event highlights the importance of cyber security for companies, and insurers in particular, who hold vast amounts of consumers’ financial information. The potential repercussions of insufficient data protection can go far beyond media headlines and quickly turn into effects on the bottom line.
According to TechRepublic, cyber security is based on the CIA triad: availability, confidentiality, and integrity. Availability refers to whether or not computing systems, security controls, and other similar features are functioning properly. Confidentiality, which the media largely focuses on, is the ability to prevent disclosure of information to unauthorized individuals or systems. Integrity, which concerns accuracy and consistency of data and systems, is the least secure of the three. As can be noted in the bond insurer example, while confidentiality of information was ultimately compromised and focused on, it was the minute internal system inconsistencies that fundamentally triggered the leak. This testifies to the fact that companies must be wary of the multitude of factors that affect data privacy.
However, though businesses continue to become increasingly dependent on data, they are not equally emphasizing security measures. Hackers have clearly noted this opportunity, as the volume of data breaches for businesses and medical organizations increased from 470 in 2012 to 614 in 2013, a 31% increase. The number of records exposed also rose from 17.5 million in 2012 to 92.0 million in 2013, a 426% rise. Given this statistic, it is understandable that in 2014, 48% of business organizations felt more wary of cybercrime risk. To protect themselves, companies must focus on developing methodologies to detect threats, secure information, and monitor for unauthorized exfiltration. This is especially important to do so in real-time, as companies need to respond as risks occur in order to take the appropriate steps to mitigate the possibility of compromised digital information from their networks.
If insurers do not enact measures to do so and subsequently undergo data breaches similar to the bond insurer noted, they are endangering both their reputation and their bottom line, evidenced by the fact that the average organizational cost of a data breach in 2014 was $5.9 million. On top of this, insurers also face significant legal and regulatory risk due to federal laws such as HIPAA, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act, which all enforce policies and procedures around the safeguarding, usage, and transmission of personal information. Failure to comply with these policies has resulted in the intervention of regulatory bodies and class action lawsuits resulting in millions of dollars of losses.
To mitigate the risk of these and other consequences, companies have invested in data breach insurance coverage, showcased by a 21% increase in cyber insurance purchases from 2012 to 2013; these policies cover data loss/corruption, liability, business interruption, identify theft, and a variety of other events. While this is a necessary measure, it is also reactive in nature and akin to placing to a Band-Aid on a gunshot wound, given the number and size of potential lawsuits for consumer information leaks. Insurers must shift focus to proactive solutions, specifically regarding development and implementation of enterprise-wide security initiatives that address the CIA triad. Upon doing so, insurers must also establish frameworks to monitor, analyze, and improve their processes. Ultimately, this will result in an increased level of data protection, put consumers at ease, and boost investor confidence, all of which will allow insurers to focus on their business, rather than putting out data fires.