Cyberattacks, Breaches and Compliance: The Risks Insurance Agents Should Know

Cyberattacks and data breaches are the new normal for insurance agents and agencies. Here’s some basic information that will reduce cyber risks for insurance agents.

For decades, insurance agents and agencies have done business continuity planning to ensure they can operate during— or recover quickly after— a fire, flood or another disaster. But the times have changed. Now they must also worry about malicious actors invading their computer systems to steal valuable information or vandalize their equipment.

Here are three cases that illustrate this risk:

A Kentucky agency revealed that unknown people or entities broke into its computer system to access multiple company email accounts. The breach compromised clients’ personally identifiable information (PII), particularly those who requested policy quotes or had filed workers’ compensation or general liability insurance claims.

The affected PII included customer names, dates of birth, Social Security numbers, financial account information, health-related data and driver’s license or state ID numbers. The criminals also stole passport numbers.

Even though the agency couldn’t confirm the illegal use of client information, it commissioned a forensic study of the breach. As state law requires, it also sent out a formal notice to all affected individuals.

A Pennsylvania agency discovered that an unauthorized person penetrated the company’s network and accessed consumer and business client information. The breach involved full customer names, Social Security numbers and driver’s license data. After learning of the incident, the agency secured its computer system and hired a cybersecurity consultant to determine the source and scope of the damage. It also sent out the required state disclosure letter.

A New Hampshire agency fell prey to a ransomware attack when a perpetrator stole the PII of three of its clients. The agency provided full disclosure, providing free credit monitoring to prevent future incidents.

The takeaways from these events? Insurance agents and agencies must tighten their defenses against cyberattacks and data breaches while developing a strong response plan— even when only a handful of policyholders are involved. Is your agency ready to mount a robust cyber defense and post-incident recovery? There’s never been a better time to mitigate your vulnerabilities.

Also, if you don’t currently have a cyber liability and data breach policy, consider purchasing one soon. It will cover the costs of diagnosing a cyberattack and repairing the damage. It will also pay for expenses relating to post-breach consumer disclosures, which can be high.

Cyberattacks and Breaches in the Insurance Industry

According to Verizon’s 2022 Data Breach Investigations Report, the insurance and finance industry suffered 2,527 cyber incidents, with 690 cases of confirmed data disclosure this year. The perpetrators were mainly criminals with financial motives.

Attack vectors ranged from social engineering (phishing), hacking (with stolen credentials) and malware, especially ransomware. Misdelivery of business information was a significant problem, with three times more incidents in insurance and finance than other business sectors. Perpetrator self-disclosure accounted for 58% of the attacks in the Verizon report, up from 5% in 2016. This suggests that ransomware continues to be a severe problem for insurers and their intermediary sales organizations.

Cyberattacks Defined

Cyberattacks are any attempt to enter a computer or computer network without permission to cause damage. Cybercriminals have pernicious objectives: render computers inoperable, disrupt business operations, block user access to computer equipment and data and hold valuable information hostage for money.

Cyberattacks can have catastrophic financial results. The 2022 Cost of a Data Breach Report from IBM and the Ponemon Institute found the average total cost of a data breach was $4.35 million— an all-time high. It also saw the per-record data breach cost reached a seven-year high of $164. If you multiplied the size of your customer database by this number, could you afford the result?

Why do cyberattacks happen? They occur due to three human motivations: criminal, political and personal:

• Cybercriminals are all about financial gain. They aim to steal money or data and disrupt computer systems for profit.
• People with political motivations target industries or companies whose values they hate. Their so-called “hacktivism” calls attention to the behavior of their targets to embarrass them or achieve social change.
• Individuals who act on a personal grudge by disrupting a company’s computer system to slake their thirst for revenge.

In the insurance industry, cyberattacks happen mainly for financial reasons. Cybercriminals know insurers and agencies store invaluable PII they can leverage for financial gain. As long as you continue to store this data, you will remain a cybercrime target.

Data Breaches Defined

Data breaches are cyberattacks in which a third party accesses confidential information and discloses it to others without permission. They typically involve PII, personal health information (PHI), trade secrets or other valuable information. When an unauthorized person views the protected data, the company that housed it suffers a data breach.

Data breaches happen for many different reasons. For instance:

• A company employee may accidentally release private information.
• Someone intercepts data moving from a company network to the cloud or another location.
• Malware or ransomware attacks lock users out of their computers and important data.
• Phishing attempts seek to gain access to confidential records.

Cyber Compliance Requirements for Insurance Agents

Insurance agents and agencies must comply with strict state and federal regulations regarding consumer privacy. Regulatory bodies expect agents to take reasonable steps to protect their clients’ data against cyberattacks and cyber breaches and keep this information safe.

The central regulatory pillar is the Gramm-Leach-Bliley Act (GLBA) of 2001. GLBA limits how insurers, insurance agents and brokers can disclose and use customer information. It mandates the delivery of annual privacy statements to customers detailing their privacy practices. They must also give clients the right to opt out of arrangements to share their data with third parties.

GLBA also mandates that insurance entities create a Written Information Security Policy (WISP) to protect their clients’ data. GLBA is highly prescriptive. Here are just a few of the actions it requires agents and brokers to implement:

• Controls to authenticate people who wish to use customer data
• Encryption of customer information
• Systems to detect intrusions
• A response plan after a cyberattack or data breach occurs
• Measures to protect customer data from being destroyed, lost or damaged
• Regular testing of the entire data security program

Other federal cybersecurity laws that apply to insurance agents and brokers include the Health Insurance Portability and Accountability Act (HIPAA), which protects consumer health information, and the Fair Credit Reporting Act (FCRA), which safeguards consumer credit data.

States have gotten into the data protection act as well. New York, California, Massachusetts and others have adopted their own cyber regulations. For instance, in 2017, the New York Department of Financial Services enacted a cybersecurity regulation to tighten state data security. It requires agents and brokers, with several exceptions, to:

• Develop a detailed cybersecurity plan.
• Designate a Chief Information Security Officer (CISO or CIO).
• Enact a comprehensive cybersecurity policy.
• Create and maintain a cyber incident reporting system.

New York and other states also have data breach notification laws. They require agents and brokers who experience a breach to tell their customers and other affected parties about it. They also must take steps to mitigate the incident, including providing free consumer credit monitoring.

Because cybersecurity regulations are multi-jurisdictional and complex, rely on your carrier and agency experts to stay safe. Outside resources such as Invisus can also guide you. Its InfoSafe® Certification includes guidance and assessments to help you to comply with all major federal, state and industry cyber regulations.

The Need for Cyber Liability and Data Breach Insurance

When you buy cyber liability and data breach insurance, your insurance will cover insurance agent cyber claims involving first- and third-party costs. First-party expenses involve your costs for diagnosing and repairing your insurance agent cyber breach, plus the costs of notifying clients and providing credit monitoring.

Third-party costs arise when someone sues you because you failed to protect their confidential data. With cyber liability and data breach insurance, your insurer will pay for your attorney fees and any financial settlements or judgments a court imposes on you.

Given the likelihood that a cybercriminal will perpetrate an attack or breach against you and your customers, having an insurance safety net is the best path to cyber peace of mind.

Strengthen your cybersecurity by purchasing Cyber Liability & Data Breach Insurance from the National Association of Professional Agents (NAPA). Protection starts at just $199 annually.