John Phelps, director of business risk solutions at Blue Cross and Blue Shield of Florida (BCBSF), reports that while cyber crime is a concern, the company’s biggest privacy worry is the unintentional release of private information by employees.

“It’s possible that a mistake will be made when you’re dealing with millions of claims every week,” he says.

To guard against such a breach, BCBSF employs a defense-in-depth strategy that combines technology, processes and training. Although BCBSF declined to provide specifics on those controls, Phelps said that the company utilizes an array of automated safeguards around network integrity and data security as well as a response team that is activated immediately upon learning of a possible security event.

“In a high-transaction environment like ours, automated controls are essential,” Phelps explains. “We can train our people to guard against mistakes, as well as against cyber attacks and social engineering we see are happening today, but tomorrow we see something new and creative that we need to defend against.”

Insurance has become an increasingly important part of BCBSF’s cyber risk management plan in recent years. “Cyber liability insurance has grown from a small cost to a significant element of the budget,” Phelps says.