The New Year is already being hit with its first cyber news with California Insurance Commissioner Dave Jones releasing a report on Friday stating hackers who accessed the health records of 78 million Americans in 2014 could have been working for a foreign government.
The attack on Anthem almost three years ago was followed by similar breaches on other health insurers and on Friday cybersecurity firm CrowdStrike said it had “Medium Confidence” the hack was state sponsored.
In this bold new world of everything cyber, where do the chips lay in the cyber insurance field?
“You have a whole host of insurance brokers and wholesalers, and other than the very large ones, I see them really struggling to figure out what is the best approach to mitigating cyber risk,” James R. Woods, Co-leader of Mayer Brown’s Global Insurance Industry Group said. “They don’t have a lot of capital to be spending in this area – but the interesting thing is these companies all possess personal identifying information that needs to be properly protected.”
Costs of cyber insurance are notoriously prohibitive and geared towards major corporations.
This becomes a problem for everyone when smaller organizations are contracted out by larger ones, providing a pathway for hackers to access big companies even when they have strong cyber security.
“Mid-level capitalized companies or lower capitalized companies I think are still playing a bit of a waiting game and are still trying to get their arms around what they can do, what they can afford to do and what they have to do.” Woods said.
“Those with more significant capitalization, the large insurers, they’re taking this very seriously and crafting mechanisms to protect themselves from cyber-attacks”
Trisura Insurance is asking its clients in all industries and of all sizes to review their mobile devices and software security systems in light of cyber’s increasingly high profile and a progressively tougher regulatory landscape.
“Clients both big and small should conduct an audit of their existing cybersecurity position, including an evaluation of who and what is connected to their systems and networks, what is running on their systems and networks and whether they have technology in place to prevent, detect and deal with most breaches,” Michael Kalakauskas, the Senior Underwriter in Trisura’s Specialty Insurance department said.
“These organizations should also consult cyber experts regularly if they do introduce new devices to their businesses or personal lives.”
Kalakauskas noted Internet of Things devices like wireless webcams, routers and smart home security gadgets are connected to networks and people, connections that could have vulnerabilities and are worth examining.
Greater cooperation is what James Woods wants examined, with a focus on practicality top of mind.
“Let’s realize they (companies) aren’t inviting hacking they are victims of hacks, it’s somewhat unfair to put them in a defensive posture,” Woods said. “The regulators, the government and the industry should be working together to craft appropriate regulations with which the industry can actually comply.”
PRMA reflects on the year behind and the one ahead