Bupa leak highlights industry vulnerability

Bupa leak highlights industry vulnerability | Insurance Business

Bupa leak highlights industry vulnerability
When news broke that files relating to close to 20,000 Australian consumers of health insurer Bupa had been leaked online, the insurer was quick to set the record straight.

This wasn’t a run-of-the-mill data breach or cyberattack. Instead, Bupa had fallen victim to a rogue employee.

“It was a deliberate act by an employee in the UK who had no access to customer data for the Bupa Australia Health Insurance business, which is kept on separate systems,” the health insurer said in a statement.

Search and compare insurance product listings against Employee Dishonesty from specialty market providers here

Of the rising threat facing the industry, Meena Wahi, a specialist cyber broker and director of Cyber Data-Risk Managers, said that with troves of personal information, the industry remains vulnerable to cyberattacks, data breaches and human error, and now malicious attacks from the inside.

“The insurance industry would be high risk for cyber and some vulnerabilities in regards hacking incidents and some malicious attempts by employees, even human error incidents, would rate high, not just as risks, but high impact incidents,” Wahi told Insurance Business.

Human error is often pointed to as one of the biggest reasons for a data breach but the Bupa incident shows a different type of human action can be just as damaging – and in terms of protecting clients, cyber insurance policies may not be up to the task when it comes to a deliberate, malicious, insider attack. Wahi noted that the Bupa case may fall under a crime policy rather than a cyber policy depending on the  wording.

“Other policies may reject the incident as not being a cyber risk or cyber insurance kind of an incident. The policy wouldn’t respond as it is considered a crime,” Wahi continued.

“If an employee is disgruntled or has a history it can’t be treated like a data breach or a human error kind of situation. Indeed crime policies are usually related to financial crime so they may not recognise data theft as such criminal activities.”

Wahi said that the Bupa example shows that policy wordings need to continue to evolve to meet the ever changing risks both clients and the industry face.

“I think the wordings will have to respond,” Wahi said. “If you are talking about data in the context of loss and compromise and theft, then we have to make it very clear or include deliberate malicious loss, theft of data under a cyber policy.”

Mitigation against these types of malicious attacks can come in several forms. Wahi noted that brokers can advise clients to utilise access levels and controls to ensure that data is kept secure. Using trigger controls that notify a manager when sensitive data is being downloaded can also help curb the threat, as can monitoring internal data flow.

Related stories:
Health insurer Bupa rocked by major data breach
Cyber insurance needs evolution to keep consumers protected - expert