Surety Professionals Should Heed New Insurance Regulatory Guidance

By Dan Bonnet

In the wake of some of the largest data breaches to hit health insurance companies, the National Association of Insurance Commissioners (NAIC) has followed on the heels of the Securities and Exchange Commission and has issued guidance on cybersecurity. Because nearly all surety bonds in the United States are underwritten by subsidiaries or divisions of insurance companies, bond producers and insurance companies with which they work should heed the new guidance released in April.

The NAIC’s Principles for Effective Cybersecurity: Insurance Regulatory Guidance (Guidance) looks to state insurance regulators “to ensure that personally identifiable consumer information held by insurers, producers, and other regulated entities is protected from cybersecurity risks.” Although not yet a requirement, the Guidance is applicable to independent producers, agencies, insurers, and the contractors with which they work. If the Guidance is not followed, producers and insurers could be held liable for loss.

Hackers are after personally identifiable information (PII), such as a person’s full name, date of birth, address, and Social Security numbers, which can be sold online in underground markets where buyers may use it to open fraudulent credit card accounts. Cybercriminals have broken into the networks of insurers that provide surety bonds. One company was hit with a virus that had the potential to capture confidential data, including bank account numbers, Social Security numbers, and credit card numbers.

The Guidance encourages producers, agencies, and insureres to secure data and maintain security with nationally recognized efforts, such as those embodied in the National Institute of Standards and Technology (NIST) framework. NIST is a non-regulatory federal agency that promotes innovation in science and technology. The NIST framework provides guidance on managing and reducing cybersecurity risk for organizations of all sizes, putting them in a much better position to identify and detect attacks, as well as to respond to them, minimizing damage and impact.

Independent producers should be sure that their computers are password protected to help prevent an intruder from obtaining information on clients. They also should be sure to keep applications such as Java, Adobe, and Flash up-to-date and, whenever using a public wireless connection, such as one at a coffee shop or restaurant, to use a Virtual Private Network that encrypts all incoming and outgoing Web traffic. Attackers could be in the location using radio-type devices to “listen in” on computer communication. If traffic is encrypted, all an attacker would see would be gibberish.

The basic function of the NIST framework consists of five functions, each divided into subcategories, as well as standards, guidelines, and best practices. A security consultant who specializes in threats and cybersecurity can assess your network and help you secure your network using the NIST Framework and other standards, such as the SANs Critical Security Controls, a global standard updated every year and focused on what SANS believes are the most critical security controls for the present year. Whomever you work with should be familiar with common threats targeting the insurance industry, as well as the tactics, techniques, and procedures attackers are using around the globe.

NIST Five Functions
Function 1: Identify Identify your assets and risk so you can prioritize your security efforts. The first thing you’ll need to do is conduct a risk assessment to identify all your information assets, such as client lists, business strategies, marketing information, and client data. Then rank each of them according to their values, from very low to very high, to help you focus on protecting the high-value data. You’ll also need to do a vulnerability assessment to see what systems and company Web-facing applications are weak. Your assessor can help you rank the likelihood and probability of a threat exploiting certain vulnerabilities and can assess your internal and external network controls, policies and procedures, gaps compared to regulations, and best practices.

Function 2: Protect Once you know your information assets and their values, you can gauge your resources accordingly and decide what measures to take to protect them. Not only might you need security devices and software, but also you’ll need people to continually operate the devices. Many organizations erroneously believe that they can buy a security solution to protect their networks from intruders. However, all cybersecurity protective devices (firewalls, instruction protection/detection systems, unified threat management appliances and others) need to be consistently configured, managed and updated with the latest patches—as long as the update will not harm the network.

Function 3: Detect Although you could have hundreds of preventive controls to prevent security incidents, some will still occur. That’s why it is important to be able to detect any anomalous activity as quickly as possible to get any attackers out as quickly as possible to prevent or lessen any damage. To spot attacks quickly, you need to monitor your network traffic and your endpoints (servers, workstations, and laptops) 24 hours a day. It takes about 48 days for most organizations to recognize they’ve been breached, according to the 2013 survey report “Post Breach Boom” by the data security research center, Ponemon. However, when your network is continuously monitored, you can spot anomalous activity quickly. In addition to monitoring your network, you also need to have detection systems on your endpoints (servers, laptops, and workstations) that are also continuously being monitored. That allows you to see any anomalous activity on them so you can stop the attackers before they traverse the network.

Function 4: Respond The sooner you recognize you have been breached, the sooner you can  stop the attackers  and minimize the damage. The longer attackers are in your network, not only do you lose more and more data, but also it becomes more difficult and costly to get the attackers out. The average time to resolve a cyberattack is 45 days, with an average cost to participating organizations of $1,593,627 during this 45-day period, according to the 2014 Cost of Cybercrime Study: U.S. by Ponemon. That long time span and high cost can greatly be reduced if you understand the ways the attackers work. Professional incident response (IR) teams that conduct IR engagements full time could get attackers out in hours or days compared to weeks.

Function 5: Recover Recovering from an attack takes planning long before your network is breached. You should have a Business Continuity Plan in place, as well as policies and plans in place to run your website and network from another offsite location. You should always keep hardware backups of your data each day.  Help your contractor clients be more aware of how they can secure their data. The NACI’s Guidance can be a valuable reference.

Dan Bonnet

Dan Bonnet

Dan Bonnet is the director of Small & Medium Business North America for Dell SecureWorks, which is a a global information services security company that helps organizations of all sizes reduce risk, improve regulatory compliance and lower their IT security costs. Bonnet has held several roles in technology consulting and business process optimization. He can be reached at dbonnet@secureworks.com or 404.486.4478.