Insurance Industry Cyber-Security: Three Things You Need to Know


Once hailed as unhackable, blockchains are now getting hacked according to MIT Technology Review. So are companies that should be very secure. We’ve all heard the news of the 2017 Equifax hack. The incident “exposed the personal information of more than 147 million consumers and led to class action lawsuits, criminal investigations and increased regulatory scrutiny,” said Risk Management Magazine.

Today, cyberattacks are common and increasingly sophisticated. For insurers, the threat is all the more acute. “Challenges exist in the data breach space for insurance companies in particular as they require a ‘treasure trove’ of stored sensitive information in order to do business with customers,” Insurance Journal said.

Furthermore, the fallout from a data breach can be mind-spinning – and there are so many ways to measure the damages. The number of consumers whose personal lives are affected. Direct costs stemming from lawsuits and reparations. The indirect costs arising from lost business from reputational damage and loss of brand equity. Any one of those issues has the clout to devastate a company – but when you’re dealing with a data breach, it doesn’t just rain. It pours.

How to avoid that scenario? The answer boils down to two rules: know what steps to take, and then take them. Here are some facts to get you started.

Three Facts that Every P&C Insurer Should Know

1. Insurers are high-value targets.

“Insurers like Anthem and Premera Blue Cross have had millions of customer records compromised, making their members vulnerable to identity theft and exploitation,” said Accenture. “But they are not alone – an Accenture survey reveals that insurers are suffering from an astounding number of security breaches.”

Or not so astounding: insurance data is sensitive, high-value information, and it comes with many possible doors and windows for hackers to target, from payment processing to policy administration.

Takeaway: The systems you use must be secure.

2. Knowing is half the battle – but only half.

The most basic layer of defense is very simple. It includes rules such as requiring a unique password for every login, making passwords sufficiently complex, assigning appropriate access privileges to every team member, and “changing the locks” so to speak (removing access) when a team member leaves the team. These are simple, low-cost rules that should be part of every company’s written security policy, and they’re nothing new. We’ve all heard them before.

So why is it that when the Verizon RISK team analyzes security incidents each year, so many of the breaches they discover could have been prevented by basic best practices? The answer is chilling: because a lot of companies just aren’t practicing them.

Takeaway: Don’t be the low-hanging fruit.

3. P&C insurers are positioned to make an important difference.

According to David Garrett, the founder of Tensyl Security, P&C insurers are positioned to make an important difference in cybersecurity. How? By being good teachers. Educating customers on basic best practices in security will help protect them from exposures; it will also raise awareness about the importance of security overall. “In fact, I think that by helping insureds, carriers will actually grow this particular business,” Garrett said.

Takeaway: if you get proactive about security, you can make a meaningful difference in the lives of the customers you serve.

On that note, we’re proud to announce that Silvervine Software recently completed an SOC 1 (SSAE 16) Type 2 examination: an independent accreditation that demonstrates our commitment to the quality and security of the services we offer. When it comes to policy administration systems and payment processing, don’t accept anything less.