• Home
  • /Learn
  • /Cybersecurity Regulations for Insurance Companies
background image


Cybersecurity Regulations for Insurance Companies


What are the cybersecurity regulations for insurance companies? As this sector is seeing more and more breaches in the news, insurance companies realize how vulnerable and prone to cybercrimes they are. While the criminals may have several malicious motives, the most lucrative booty that attracts them is the massive volume of sensitive personal data in the insurance company databases.

Cybercrime in the News: Insurance Companies

On March 26, 2020, Chubb, the Global insurance giant, made headlines worldwide as news leaked that it had faced a massive data breach. Moreover, the Maze Ransomware group that attacked Chubb didn’t just encrypt the data stored on the company’s databases but also exfiltrated all the data to Maze’s servers. Ironically, Chubb is best known for insuring other companies against cyberattacks, yet it couldn’t keep its systems safe.

AXA’s Asian branch also suffered a big ransomware attack. Data suggest that over 100 million people in the US alone have been adversely affected by data breaches in the insurance industry over the past few years.

As this sector is seeing a high frequency of cyber attacks, a lot of our insurance sector clients are looking to take steps to protect valuable consumer data and are asking:

Why is the insurance industry a prime target for cyberattacks?

Insurance firms collect and store consumer data to help them with the underwriting and claims preparation process. This data can include personal contact details, medical records, identification documents, financial information, banking information and social security numbers. The data is susceptible and can lead to severe ramifications if exposed. If malicious hackers get their hands on this data, they can easily manipulate it to commit insurance fraud and identity fraud, further perpetrating cyberattacks on unsuspecting civilians.

The second factor that enhances the cybersecurity risks for insurance companies is their high reliance on legacy systems. While many firms have started migrating towards digitization and modernization, the continued use of legacy systems leaves them exposed. Additionally, poorly implemented digitization campaigns can also backfire severely. Creating digital records will not merely introduce a new threat vector but will also expose insurance firms to third-party risks.

Lastly, even companies with systems in place to deal with data breaches are no longer safe. Highly evolved and sophisticated hacker groups don’t just encrypt data but also threaten to leak the stolen data on the public domain. In this case of double extortion, even if the firm can restore its systems using data backups, it’ll still stand the risk of suffering from reputational damage and regulatory fines.

This potent mix of valuable data, poor cybersecurity planning and a lack of employee awareness (concerning cybersecurity risks) leave insurance firms vulnerable to the constant threat of cyberattacks.

Fortunately, the legislature has also acknowledged this weakness, prompting them to enact and enforce regulatory standards for the insurance industry.

What are the cybersecurity regulations for insurance companies?

The New York Department of Financial Services issued its NYDFS Cybersecurity Regulation in 2017. Considered to be groundbreaking in its approach, it has emerged as the leading standard for insurance companies in the USA and Canada. While the NYDFS Cybersecurity Regulations were set up for firms specifically in New York, states around the country have begun to adopt and deploy similar regulations. Since Canada tends to mirror developments in the United States, Canadian insurance firms are expected to follow protocols and guidelines set up by the NYDFS.

The other leading framework is the NAIC model that outlines specific requirements and guidelines to protect the insured’s data. The NAIC model includes technical, administrative and physical safeguards. It also advocates appropriate cybersecurity measures, response plans, reportage and employee training programs.

Apart from these two regulations, insurance firms are also expected to follow other standards, such as NIST, ISO 27000, OFSI and SOC2.

Specific legislation affecting specific firms can vary widely depending on the location and nature of business. Hence, a penetration test by a leading cybersecurity firm can be a valuable tool to assess security levels and data protection standards against globally accepted benchmarks.

Given the nature of the data they store and the increasing number of breaches, Insurance companies are under intense scrutiny from the legislation and executive departments of the government. It’s advisable to maintain strict protocols and adherence to cybersecurity regulations for insurance companies to protect consumer data and avoid massive regulatory fines.