Could the Anthem Hack Happen Again? New Report Analyzes Insurers’ Cyber Security Programs

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/could-the-anthem-hack-happen-again-new-20823/

The New York State Department of Financial Services (the “Department”)
recently released a “Report on Cyber Security in the Insurance Sector” (the
“Report”). The Report was released on February 8, 2015,  just four days
after Anthem first reported the breach of its database estimated to contain
as many as 80 million customer records. While the Report does not directly
address the Anthem breach (the Department addressed Anthem’s breach in a
separate alert), its findings provide a detailed look at the current cyber
security landscape in which the Anthem breach occurred.

The Report analyzes survey data collected  from 43 insurance entities that
collectively hold a staggering $3.2 trillion of combined assets. Of these
43 entities, 21 are health insurance providers, 12 are property and
casualty insurance providers, and 10 are life insurance providers. The
Report’s questions address six main topics: (1) the insurer’s information
security framework; (2) the use and frequency of penetration testing and
results; (3) the budget and costs associated with cyber security; (4)
corporate governance around cyber security; (5) the frequency, nature, cost
of, and response to cyber security breaches; and (6) the company’s future
plans on cyber security.   In an effort to obtain a broader understanding
of the context of these cyber security programs within the insurers’
overall risk management strategy, the Report also analyzes the statutorily
required enterprise risk management (“ERM”) reports that certain insurers
filed with the Department.

The Report has a number of interesting findings, many of which trigger
their own questions:

Insurer Sophistication is Nuanced. The Report concluded that the size of an
insurer’s assets is not the only factor that determines the sophistication
of the insurer’s cyber security program. The breach of Anthem, one of the
largest health insurers in the country, may be viewed as leading credence
to this finding. In addition to insurer’s assets, the Report finds that the
sophistication of a cyber security program is also determined by the firm’s
transactional frequency, the variety of business lines (insurance and
non-insurance) written, and the sales and marketing technologies associated
with those lines.

Emerging Threats Are Recognized, but Confidence Remains High. When asked
which factors are the primary barriers to ensuring information security at
their organizations, 81% of respondents pointed to the increasing
sophistication of cyber security threats, while 72% believed that emerging
technologies were the primary barrier. Notwithstanding the recognition of
increasingly sophisticated and dynamic threats, over half of the insurers
reported that their organization’s current information security strategy
adequately addresses new and emerging risks, with only 40% reporting a need
to modify their strategies to address new and emerging risks. Further, only
51% of insurers surveyed reported having a budget specifically for cyber
security events, while 95% of insurers believe that they have adequate
staffing levels for information security. Again, this survey was conducted
prior to the Anthem breach. It would be interesting to know the comfort
level of respondents following the Anthem breach, and whether or not their
responses might change.

Health Insurers Uniquely Manage IT. Close to 60% of the health insurers
surveyed relied entirely on in-house IT system management. In both property
and life insurance sectors, a majority of the firms relied on a mix of both
in-house and outsourced management. The Anthem hack will certainly raise
questions about the capabilities of in-house IT management.

Intrusion Prevention Lacking. According to the Report, all of the
respondents implemented “intrusion detection systems.”  However, health
insurers were the least likely to implement such systems. The National
Institute of Standards and Technology (NIST) defines “intrusion prevention
system” as software that has all the capabilities of an intrusion detection
system but which can also attempt to stop possible incidents. While the
NIST notes that there may be technical reasons for turning off certain
prevention features, the Report does not address these issues in detail.

Cloud Policies. Of the three insurance sectors surveyed, health insurers
were the least likely to have policies and procedures in place to mitigate
the information security risks associated with cloud computing.
Unfortunately, the Report does not specify the percentage of health
insurers that are implementing cloud-based information systems nor does it
address the pervasiveness of cloud use in those insurers that do use the
cloud.

In addition to its findings, the Department highlights three areas of
potential industry change that it believes could help foster improved cyber
security : (1) management of third-party service providers that handle
sensitive information, with a focus on obtaining the appropriate
representations and warranties from the third-party service providers; (2)
the potential use of new security technologies (e.g., multi-factor
authentication) to prevent breaches; and (3) the potential industry benefit
that could result from a larger cyber insurance market.

The pressure on insurers to apply these and other security measures is
likely to increase following the Anthem breach. Similarly, matters of data
security will assume increased urgency from the Department and other
regulators responsible for overseeing an industry responsible for
staggering amounts of personal and financial information assets.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!