Four Ways for Insurers to Prepare for New NAIC Cybersecurity Rules

By Adam Hamm, Managing Director
Risk and Compliance

 

 

 

Cybersecurity and technology represent immense challenges and opportunities for all insurers and financial services companies. Organizations need to protect sensitive information and customer data to the greatest extent possible, and to recover as quickly as possible in the event of a breach.

Insurance companies store large amounts of personal information about their policyholders. Cybercriminals know this, and have been increasingly targeting insurers. The past two years have seen a dramatic increase in successful cyberattacks, exposing the personally-identifiable information of more than 100 million Americans. As a result, state insurance regulators have been looking for ways to protect consumers and ensure the integrity of the industry. This month, New York became the first state to adopt cybersecurity guidelines. And the National Association of Insurance Commissioners (NAIC) is working towards completing its Data Security Model Law.

Continue reading

Public Breach Disclosure Laws Up the Ante on Security – But Do They Work as Intended?

david-taylorkall-loperBy David Taylor, Managing Director
Technology Consulting, Security and Privacy

and Kall Loper, Director
Technology Consulting, Security and Privacy

 

On January 3, The Massachusetts Office of Consumer Affairs and Business Regulation announced that it will report all data breaches to a publicly accessible state website. Previously, this information could only be obtained with a public record request. The new site includes summary information of the breach and is organized by year. The breached organization’s name, the magnitude of the breach and the type of information exposed (Social Security numbers, credit card numbers, etc.) are included in the summary, among other details.

The Massachusetts office’s decision follows other recent examples of states tightening their breach notification statutes and definitions of what constitutes sensitive information. Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have all enacted laws requiring companies transacting business with residents of their state to report data breaches.

Any law that intends to protect consumers is, on its face, a good one. However, we feel that a direct, pain-stimulus motivation such as Massachusetts’ public breach notification reporting may work against a more effective approach to remediation by forcing short-term, technical responses that do not necessarily ensure security over the long term.

Faced with a public breach disclosure, there is a tendency for companies to seek to end the pain of public exposure as quickly as possible. But rather than encouraging breached companies to address the complex causes of the breach, public breach reporting encourages narrowly tailored investigations and short-term remediations. A quick-to-implement response such as a firewall or an intrusion detection system may remediate the specific problem found, but not the class of vulnerabilities, or any security architecture failings, employee practices or organizational data use patterns.

Often, system-wide vulnerabilities are not addressed for fear of finding more problems that require reporting, potentially causing further erosion of public confidence, brand value or market capitalization. This ostrich-like approach is surprisingly common, and lengthy, expensive lawsuits are often the result. Unfortunately, direct reporting laws, like the recent one from Massachusetts, only intensify the desire to avoid further discovery for fear of immediate penalties.

In addition to the business risks mentioned above, a technical knowledge gap often holds companies back when it comes to remediating the vulnerabilities leading to the breach. Holistic breach recovery requires a broad range of capabilities, from expertise in technical security practices and organization security practices, like identity and access management, to expertise in public relations, legal and electronic discovery processes, project management and information governance policies.

Without an appropriate formulation of goals and planning, a post-breach remediation can be an expensive exercise in seeking psychological comfort and not much more. Vendors will flock to the breached company’s executives with “solutions” that often do not address the root causes of the organization’s failure. Solution-based answers are good if the goal is to show a lot of activity and reportable benefits; however, when the cash stream ends, the solution vendors depart, leaving the company without a long-term plan toward a more secure organization.

Effective post-breach remediation is a planned set of specific activities that ultimately becomes part of the ongoing information security structure. Among these activities are:

  • Organizational change to address the security practices of end users through employee training and implementation of a company-driven plan to grow security awareness
  • Information policies that take into consideration data protection priorities and are designed to eliminate unnecessary risk and minimize unavoidable risk
  • Information governance, to make information available only to those who need it, but also keep it accessible and flexible based on the company’s needs
  • Agile and responsive security through solutions appropriate to the company’s sustainable efforts and long-term goals.

The developments in laws intended to protect consumers’ personal information from exposure point to a trend – there will be more, not less, required of companies in that regard. The sooner and more comprehensively the complex causes of the breach are addressed, the less there is a chance of a repeated event. Only through a comprehensive and thoughtful response will companies lessen the long-term damage to their public image, brand value and bottom line.

A Matter of Trust: Taking a Look at the CISA Controversy

Kurt UnderwoodBy Kurt Underwood
Global Leader of Protiviti’s IT Consulting Practice

 

 

 

Back in October, we issued a Flash Report on a senate move regarding a proposed law that has spurred controversy at home and abroad. The bill is intended to improve cybersecurity in the United States through enhanced sharing of threat information.

Now out of committee, and potentially up for a floor vote in the Senate soon, the Cybersecurity Information Sharing Act (CISA) would allow (but not require) the sharing of Internet traffic information between U.S. government agencies and technology and manufacturing companies, making it easier for companies to share cyber threat information with the government.

The bill provides legal immunity from privacy and antitrust laws to companies that provide threat information from, say, the private communications of users, to appropriate federal agencies and other companies. It also permits private entities to monitor and operate defensive countermeasures to detect, prevent or mitigate cybersecurity threats or security vulnerabilities on their own information systems, and, under certain conditions, the systems of other private or government entities.

Although the bill includes provisions to prevent the sharing of personally identifiable information (PII) irrelevant to cybersecurity, some worry whether those protections are adequate.

The U.S. Chamber of Commerce, National Cable & Telecommunications Association, and other advocacy groups support the measure, on the grounds that the information in question is already flowing freely to spies and criminals around the world. Others, including the Computer and Communications Industry Association and various prominent technology companies, oppose it as a violation of personal privacy.

In the end, it all boils down to trust. Repeated high-profile security breaches of PII and other sensitive data have raised questions regarding the ability of government and large corporations to secure their data. It is interesting to note that the Department of Homeland Security, the designated entry point for all submitted data under the proposed law, is among those opposed to the bill.

The concern crosses international borders. A European court recently struck down an agreement that previously allowed U.S. companies to import the personal information of EU citizens and store that information within the United States. The agreement was called into question over a lawsuit questioning the protection of PII from the U.S. government.

For a more detailed analysis of CISA, you can download the Protiviti Flash Report, Proposed Cybersecurity Information Sharing Act Sparks Controversy. I am interested in your take on the issue in the comments section below.

It’s Not the Time for Banks to Abandon Vendors

Ed Page - Protiviti Chicagoby Ed Page
Managing Director – Leader, Protiviti’s National Financial Services IT Consulting Practice

 

A recent article in American Banker Bank Technology News raises the prospect that stiffer vendor risk management requirements may push banks to bring more IT work in-house. Given the rigor being demanded these days, it’s hard to argue against that position, but banks and regulators alike need to be aware that this could have unintended consequences, particularly at midsize and smaller banks.

Large banks generally have the scale and skills to run IT services in-house, so insourcing to reduce the overhead of vendor management may be a viable approach. However, driving IT services in-house at smaller institutions may create a whole different set of risks. Many midsize and smaller institutions have long depended on outsourced relationships to provide essential IT services, both as a means of acquiring technical competencies and to reduce costs related to IT operations. Consequently, many lack the core competencies, experience and expertise needed to run things in-house.

I liken this a little to the do-it-yourself (DIY) phenomenon in home improvement. Although there are certainly a lot of DIY projects that people can undertake, a project such as upgrading the 1940s era knob and tube electrical wiring currently in your home to current standards is better left to the professionals (unless, of course, you are an electrical wiring expert!).

Insourcing may also pose a secondary risk for the industry as a whole. At a time when banks need to innovate to stay competitive, banks may be discouraged from working with vendors – particularly smaller vendors – who may be creating breakthroughs. This may lead to financial institutions missing opportunities to either drive down costs or introduce new products and services, which in turn creates risk from those institutions and non-bank competitors who are more willing to work with outside providers.

Technology and data are the life blood of banking, so the regulatory intent to ensure accountability and governance over these critical services is undeniably correct, but banks must guard against overreacting in ways that create other equal or even greater risks. The industry needs to retain both insourcing and outsourcing as viable alternatives. Ultimately, organizations should develop an IT strategy based on their business priorities and competencies. That strategy should be supported by a well-defined IT architecture, strong IT and data governance, and – where outsourcing is dictated – sound vendor management.

And for more insights into vendor risk management, I encourage you to read the benchmark report that the Shared Assessments Program and Protiviti recently released on the maturity of vendor risk management in organizations today.

A Look at the Maturity of Vendor Risk Management – A Benchmarking Study from the Shared Assessments Program and Protiviti

I want to share with you a just-released report on the results of a study on vendor risk management practices in which Protiviti partnered with the Shared Assessments Program – a consortium of leading financial institutions, Big Four accounting firms and key service providers dedicated to helping organizations understand and manage vendor risk effectively. Our report reveals some particularly interesting findings regarding how well organizations are managing their vendor risk. Bottom line: There is significant room for improvement in many organizations.

As the volume of outsourced and offshored products and services has surged in recent years, so, too, have the risks associated with vendors and third-party providers. Data breaches at vendors handling a company’s data and information are costly; they can even carry a higher cost than in-house breaches.

Importantly, the number of incidents is rising – in highly regulated industries such as financial services and healthcare; in media and retail, as seen in recent news; as well as in any organization in any industry that is relying on third-party vendors to manage operations and processes. These at-risk vendors include not just data management, IT and security providers, but also facilities management along with any vendor that may have access to your network, data or facilities.

Thus, vendor risk management is a big deal, raising the bar on the importance of a company knowing who its third parties are, how each of them interacts with the company’s customers, what activities each performs on behalf of the company, and what company data they access and process. Unfortunately, for most organizations, understanding vendor risk and how to manage it appropriately has thus far been more art than science. This is changing in part with the development of the first comprehensive Vendor Risk Management Maturity Model by the Shared Assessments Program.

The Shared Assessments Program recently partnered with Protiviti to conduct a third-party risk management benchmarking study based on this maturity model. Our study reveals some interesting trends:

  • Financial services organizations tend to have relatively mature vendor risk management programs compared to other companies and industries.
  • Organizations in the insurance subset are at a lower level of maturity in their vendor risk management compared to the overall financial services set.
  • Notable areas for improvement include program governance, and policies, standards and procedures.

To learn more, please visit www.protiviti.com/vendor-risk. And as always, I invite you to share your comments and feedback here.

Jim

Infographic-2014-Vendor-Risk-Management-Benchmark-Study