On the wake of some of the largest data breaches to hit health insurance companies, the National Association of Insurance Commissioners (NAIC) has followed on the heels of the Securities and Exchange Commission and has issued a "guidance" on cyber security. In April, the Cybersecurity (EX) Task Force of the NAIC adopted the Principles for Effective Cybersecurity Insurance Regulatory Guidance.

The Principles for Effective Cybersecurity: Insurance Regulatory Guidance looks to state insurance regulators "to ensure that personally identifiable consumer information held by insurers, producers and other regulated entities is protected from cybersecurity risks." The guidance encourages insurers, agencies and producers to secure data and maintain security with nationally recognized efforts such as those embodied in the National Institute of Standards and Technology (NIST) framework. The NIST framework provides guidance on managing and reducing cybersecurity risk for organizations of all sizes, putting them in a much better position to identify and detect attacks, as well as to respond to them, minimizing damage and impact.

Producers, agencies and insurance companies could all be held liable for the loss of protected health information and personally identifiable information of prospects and clients, such as a person's full name, date of birth, address and Social Security numbers.

The NIST Framework consists of five functions, each divided into subcategories, as well as standards, guidelines and best practices. A security consultant who specializes in threats and cybersecurity can assess networks and help secure them using the NIST Framework and other standards. Whoever you work with should be familiar with common threats targeting the insurance industry, as well as the tactics, techniques and procedures attackers are using around the globe.

Function 1: Identify

Identify assets and risk so you can prioritize your security efforts. First conduct a risk assessment to identify all your information assets, such as client lists, business strategies, marketing information and client data. Then rank each of them according to their values, from very low to very high, to help you focus on protecting the high-value data.

Perform a vulnerability assessment to see what systems and company web-facing applications are weak. Your assessor can help you rank the likelihood and probability of a threat exploiting certain vulnerabilities, and can assess your internal and external network controls, policies and procedures, gaps compared to regulations, and best practices.

(Shutterstock)

Function 2: Protect

Once you know your information assets and their values, gauge your resources accordingly and decide what measures will protect them. You may need security devices and software, but also staff to continually operate the devices. Many organizations erroneously believe that they can buy a security solution to protect their networks from intruders. However, all cybersecurity protective devices (firewalls, instruction protection/detection systems, unified threat management appliances and others) need to be consistently configured, managed and updated with the latest patches—as long as the update won't harm the network.

Once you buy a protective device, you need the oversight of a staff member to operate it to its best ability. No matter what any security vendor says, all protective devices need consistent human interaction. There is no device that works automatically after plugging it into your network. Numerous breaches have occurred because people were not properly operating protective devices. When devices are not properly and consistently configured, hundreds of alerts go off and are ignored.

(Shutterstock)

Function 3: Detect

Despite preventive controls, security incidents still occur. That's why it is important to detect anomalous activity quickly to remove any attackers and prevent or lessen any damage. Monitor your network traffic and your endpoints (servers, workstations and laptops) 24 hours a day. It takes about 48 days for most organizations to recognize that they've been breached, according to the 2013 survey report "Post Breach Boom" by the data security research center Ponemon. However, when your network is continuously monitored, you can spot anomalous activity as soon as it occurs.

In addition to monitoring your network, you also need to have detection systems on your endpoints (servers, laptops and workstations) that are also continuously being monitored. That allows you to see any anomalous activity on them so you can stop the attackers before they traverse the network.

(Shutterstock)

Function 4: Respond

The sooner you recognize you've been breached, the sooner you can get the attackers to minimize the damage. The longer attackers are in your network, not only do you lose more and more data, it becomes more difficult and costly to get the attackers out. Getting attackers out of your network takes a lot of expertise that most organizations don't have.

Less than half of respondents to the Ponemon Post Breach survey said their organizations have the tools, personnel and funding to prevent, quickly detect and contain data breaches. While your organization can try to respond to a breach on its own, unless it has a full-time security team that works with threats day in and out conducting incident response engagements, has a global view of the threat landscape, and is familiar with certain patterns attackers make in networks, it may not be able to remove the entire threat. If it removes all but one trace of the threat, the attackers could still be hiding inside the network.

The average time to resolve a cyberattack is 45 days, with an average cost to participating organizations of $1.6 million during this 45-day period, according to the 2014 Cost of Cybercrime Study: U.S. by Ponemon. That long time span and high cost can greatly be reduced if you understand the attackers and the ways they work. Professional incident response teams could get attackers out in hours or days compared to weeks. Security companies offer retainer contracts that guarantee experts onsite within 24 hours for breach remediation, and that you get discounted rates, usually saving you about $100 an hour. Without a retainer, it could take an organization a few days to select a response team and for one to become available.

The sooner you get the attackers out, the overall less cost. Results from Ponemon's U.S. cybercrime study show a positive relationship between the time to contain an attack and organizational costs incurring from business disruption, data loss, recovery costs and legal costs. The total annualized cost of cybercrime in 2014 ranges from a low of $1.6 million to a high of $60.5 million.

(Shutterstock)

Function 5: Recover

Recovering from an attack takes planning long before your network is breached. You should have a Business Continuity Plan in place, as well as policies and plans in place to run your website and network from another offsite location. A security consultant can work with you to help you decide how much and what data needs to be backed up, as well as what critical systems and components are essential to your organization's success. The recovery function helps you restore capabilities and services that were impaired. All these decisions need to be made before a crisis.

Although independent agents probably won't have a network to protect, at the very least, they should take applicable steps to secure their computers. They need to ensure privacy of their prospects' and clients' personally identifiable information including addresses, dates of birth, Social Security numbers, health data and insurance policy information. They should ensure their computers are password protected so an intruder would be unable to access data on it.

Use a private network at home and a virtual private network whenever connecting to a public network. Using a public network at a coffee shop or restaurant makes you easy prey for attackers to snoop and see everything you are doing on the network. They can see all the sites you visit and everything you type on an online site, such as your login credentials. The right VPN will encrypt all traffic so even if attackers manage to snoop on your online activity, all they would see would be intelligible gibberish.

Dan Bonnet serves as sales director, small and medium business – North America at Dell SecureWorks, a global information services security company that helps organizations of all sizes reduce risk and improve regulatory compliance.

Special Reports /

Breaking down NAIC's new cyber security framework guidelines

Related Stories

Recommended For You