As technology evolves, so do the risks associated with cyber threats in the insurance industry. With the increasing digitization of processes and the growing volume of sensitive data, cybersecurity, and compliance have become paramount concerns for brokerage insurance firms and independent producers alike. It is imperative for industry professionals to prioritize cybersecurity measures to protect their clients, their businesses, and their reputation.

These statistics and examples provide evidence of the importance of cybersecurity and compliance in the broker insurance industry, emphasizing the need for proactive measures to mitigate risks and secure sensitive information.

Nine Reasons Why Cybersecurity and Compliance are Important

1) Ongoing Regulatory Compliance

• 79 percent of insurance executives believe that regulatory compliance is a top priority for their organizations. The future of regulatory compliance for the insurance industry requires leaders to find a balance between opportunity and obligation.¹
• Example: In November, 2023, The NYDFS fined an Insurance company $1 million for violations of DFS’s Cybersecurity Regulation (23 NYCRR Part 500) stemming from a large-scale cybersecurity breach.²

2) Increase in Third-Party Vulnerabilities Now Used by Hackers as a Valid Entry Point

• The rise of software supply chain compromises was the root cause of 12 percent of breaches.³
• Example: The 2017 Equifax breach that exposed the personal information of millions of individuals was attributed to a vulnerability in a third-party software application.⁴

3) Outdated Systems and Infrastructure that Needs Patched

• The average time to identify and contain a data breach caused by an outdated system is 280 days.⁵
• Example: The WannaCry ransomware attack in 2017 exploited vulnerabilities in outdated systems, affecting thousands of organizations worldwide.⁶

4) AI and Advanced Technologies

• 75 percent of cybersecurity professionals have seen an increase in attacks over the past year, with 85 percent attributing it to threat actors weaponizing AI.⁷
• Example: Deepfake technology can create convincing fake videos of executives, potentially leading to social engineering attacks in the insurance industry. Instances of deepfake phishing and fraud surged by 3,000 percent in 2023.⁸

5) Liability Risk (Accountability across all roles)

• Global cybercrime damage costs will grow by 15 percent per year over the next two years, reaching $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015.⁹
• Example: The CEO of a large insurance company faced legal repercussions after a data breach resulted in significant financial losses for customers.¹⁰

6) Increase in Hacker Expertise and Entry Points

• 74 percent of all breaches include the human element, with people being involved either via error, privilege misuse, use of stolen credentials or social engineering.¹¹
• Example: A phishing email targeted at insurance brokers led to unauthorized access to sensitive client data, resulting in a data breach.¹²

7) Ongoing Nation-State Attacks

• The Department of the Treasury reported that the total value of U.S. ransomware incidents reached $886 million in 2021, a 68 percent increase compared to 2020.¹³
• Example: Health insurance and services company UnitedHealth Group is blaming a state-sponsored threat actor for a cyberattack on its subsidiary Change Healthcare.¹⁴

8) Remote and Hybrid Work Increased Attack Surfaces (not going away)

• CyberArk found 85 percent of organizations experienced a security incident due to remote work during the COVID-19 pandemic.¹⁵
• Example: A remote employee of an insurance brokerage accidentally exposed sensitive client data by using an unsecured Wi-Fi network.¹⁶

9) It’s not “If” a Breach Will Happen, it’s “When”

• The IBM Cost of a Data Breach Report states that the global average cost of a data breach in 2023 was USD $4.45 million, a 15 percent increase over three years.¹⁷
• Example: An Insurance consulting and brokerage firm is informing more than 1.5 million individuals that their personal information was stolen in an August 2023 cyberattack.¹⁸

Buckler’s Founder and Chairman, Vincent Guyaux states, “Cybersecurity, and the regulatory requirements around it, went from suggested to required and from attestations to evidence-based. Adhering to cybersecurity regulations isn’t just a legal necessity; it’s also essential for preserving the confidence of clients and stakeholders.”¹⁹

Brian Edelman of FCI adds, “Anyone that cares deeply about their business should care about cybersecurity. As an MSSP that automates and secures environments with Zero Trust solutions, we have seen it all from one and two-person agencies to large enterprises and brokerages that have a pressing need to stay compliant as threats continuously shift.”

Cybersecurity and compliance must be at the forefront of discussions and actions within the insurance world. The evolving threat landscape, coupled with regulatory pressures and the increasing reliance on technology, necessitates a proactive approach to cybersecurity. By understanding the top reasons why cybersecurity and compliance are important, insurance professionals can better protect themselves, their clients, and the integrity of the industry as a whole. It’s time to make cybersecurity and compliance front-burner topics and take decisive actions to safeguard against cyber threats in today’s digital age.

Data Encryption is the Foundation for a Compliance Program
Data encryption is the foundation to building out a solid, executable compliance program. Although, most compliance requirements only address minimal data encryption requirements such as encryption at rest and in transit, if they specifically define encryption at all. Many compliance regulations basically state that data must be protected. We have to remember that compliance refers to adhering to laws, regulations, and guidelines that dictate how an organization should manage and protect data. Data security, on the other hand, involves the technical and administrative controls used to protect data from authorized access, breaches and other forms of misuse.

So why is data encryption the foundation to building out a solid, executable compliance program? Let’s look at where compliance frameworks intersect data encryption:

1. By encrypting private, sensitive, and controlled data in all three states (encryption at rest, in motion, and in use), the organization will position to exceed any compliance data security requirements and avoid compliance penalties. More importantly, encryption of data in all three states will greatly reduce the likelihood of a threat actor stealing or ransoming critical data. In 2022, Paperclip Inc. launched SAFE®, an innovative solution specifically designed to assure that critical data is always encrypted, including where organizations are most exposed, data in use.
2. Alignment to defense in depth related compliance requirements. Compliance requirements mandate training, accessibility, authentication, and data leakage controls. Encrypting core, operational data will assure that all compliance layers from the data through to the endpoint are more effective. When implemented, the proper encryption solution will protect the data when other measures break down. For example, Paperclip SAFE^®, a data in use encryption solution will protect sensitive data even when a threat actor compromises an end user’s credentials, or even when the threat actor is inside the network perimeter.
3. One particular data compliance area currently being targeted by the SEC and FINRA is related to incident response (IR). On the surface, IR is less about data security and more about business continuity. Auditors are challenging not just the plan in place, but has it been tested. They want to see the results and mitigation reports based on performance of active IR tabletops. Where the audit of the IR plan intersects with data security is around how auditors are looking to see how the IR plan and tabletop connect to the security an organization has in place. For example, when the organization has encrypted critical data with a solution such as Paperclip SAFE®, it removes that data from theft and ransom. This practice reduces the likelihood of consumer data exposure and will allow the organization to quickly gain control of the incident. IR is all about regaining control of the operational environment, reducing threat actor activity, and getting the operation back online with little to no disruption.

A strategic combination of services from organizations like Buckler and Paperclip will avoid costly out of compliance penalties and even more costly breach expenses and catastrophic reputational loss.

Reference:

1. https://www2.deloitte.com/us/en/pages/regulatory/articles/insurance-regulatory-outlook.html.
2. https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202311281.
3. https://www.linkedin.com/pulse/rising-costs-data-breaches-2023-key-insights-from-ibms-latest/.
4. https://www.csoonline.com/article/567833/equifax-data-breach-faq-what-happened-who-was-affected-what-was-the-impact.html.
5. https://www.ibm.com/thought-leadership/institute-business-value/en-us/blog/security-fraud-risks-banking-financial-markets.
6. https://money.cnn.com/2017/05/13/technology/ransomware-attack-nsa-microsoft/index.html.
7. https://www.cfo.com/news/cybersecurity-attacks-generative-ai-security-ransom/692176/#:~:text=Seventy%2Dfive%20percent%20of%20security,Sapio%20Research%20and%20Deep%20Instinct.
8. https://www.forbes.com/sites/forbestechcouncil/2024/01/23/deepfake-phishing-the-dangerous-new-face-of-cybercrime/?sh=3ecc5d774aed.
9. https://cybersecurityventures.com/cybercrime-to-cost-the-world-9-trillion-annually-in-2024/.
10. https://www.insurancejournal.com/news/national/2024/01/02/753570.htm.
11. https://www.verizon.com/business/resources/reports/dbir/.
12. https://www.cnbc.com/2023/01/07/phishing-attacks-are-increasing-and-getting-more-sophisticated.html.
13. https://www.gao.gov/assets/870/865761.pdf.
14. https://www.securityweek.com/state-sponsored-group-blamed-for-change-healthcare-breach/.
15. https://www.cyberark.com/press/cyberark-state-of-remote-work-study-poor-security-habits-raise-questions-about-the-future-of-remote-work/.
16. https://www.cpomagazine.com/cyber-security/protecting-remote-workers-against-the-perils-of-public-wi-fi/.
17. https://www.ibm.com/reports/data-breach.
18. https://www.securityweek.com/1-5-million-affected-by-data-breach-at-insurance-broker-keenan-associates/.
19. https://www.linkedin.com/pulse/impact-cybersecurity-insurance-brokering-chathura-kehelpannala-jyayc/.