Contact Us Submit RFP

  • Search For

Contact Us Submit RFP
insight-ingle-left-2
insight-ingle-left-3
Go back to Articles

December 15, 2021

Take Action Now and Prevent a Cybersecurity Attack

Take Action Now and Prevent a Cybersecurity Attack

The insurance industry continues to evolve and innovate to improve products and serve customers with new technologies. At the same time, criminals are improving their methods to exploit the vulnerabilities of these new technologies. 

Impact of a Data Breach

The Ponemon Institute released its annual Cost of a Data Breach report (1) last month, including updated statistics on data breaches: 

  • Average total cost of a data breach increased 10% with a per record cost of personally identifiable information of $180
  • Average number of days to identify and contain a data breach of 287 days 

We see news of attacks every day. 

CNA Financial Corp., one of the country’s largest insurance companies, suffered a ransomware attack in March 2021. The company paid a ransom of $40 million in bitcoin. The criminals took advantage of a small lapse in security controls by convincing a single employee to accept a fake web browser update from a commercial website.

Recently, an Iowa-based farm services provider was attacked with ransomware the week that farmers were preparing for harvest. This is an interruption to a critical component of our infrastructure and could disrupt food delivery. 

A death resulting from a ransomware attack on a hospital had not been reported until October 2021, when a lawsuit was filed against the medical center alleging the hospital’s monitoring systems were down due to ransomeware, which didn’t allow doctors to identify issues that resulted in a baby’s death.

Attacks Are Coming From Many Sources

Further complicating the matter, cybersecurity attacks are coming from a variety of sources: 

  • Malware
  • Ransomware 
  • Phishing emails containing a malicious attachment
  • Distributed denial of service (DDoS) attacks
  • Insider threats – either purposefully or accidentally disclosing data, and lost laptops or other mobile devices 

There are even platforms such as ransomware as a service[i] (RaaS) that make it simple for anyone with little to no technical skill to launch a ransomware attack. Business email compromise and fraud scams are also on the rise, where criminals use a spoofed email or compromised account to trick employees into initiating a money transfer to a fraudulent account. 

The Ponemon report identified compromised credentials as the most common initial attack vector, responsible for 20% of breaches. 

Regulators Are Taking Action

The NAIC Insurance Data Security Model Law (Model 668) has been adopted by 18 states as of August 2021. 

The US Treasury has recommended that a uniform data security regulation be adopted by 2022. State adoption timelines usually include one year for the implementation of an information security program and another year to meet third party service provider risk management requirements. Check with your legal council to understand current and upcoming cybersecurity requirements in the states you are licensed to operate. 

What Should You Do?

Companies should start with selecting a cybersecurity framework to help guide the effort and ensure critical elements are not missed. 

Examples include: 

  • NIST cybersecurity framework
  • Center for Internet Security top 20 controls
  • COBIT
  • HITRUST Cybersecurity Framework (CSF) for healthcare organizations and business associates to meet HIPAA compliance
  • ISO 27000 – cybersecurity framework

A risk assessment is the basis of your information security program and should be performed at least annually, or as material changes to people, processes and technology occur to identify new risks or compliance gaps. 

An independent third party may facilitate the risk assessment process to help provide a fresh perspective and insights from similar organizations. They may also perform testing of your internal control processes to identify design and operating effectiveness weaknesses. Action plans resulting from the risk assessment should be assigned owners and plans to remediate monitored. 

Have Additional Questions?

Reach out to the Johnson Lambert cybersecurity team today and learn how we can help your organization. 

Resources

(1) “Cost of a Data Breach Report 2021” Ponemon Institute and IBM Security

Kim Mobley

Kim Mobley

Partner

View Bio

Take Action Now and Prevent a Cybersecurity Attack

Take Action Now and Prevent a Cybersecurity Attack

The insurance industry continues to evolve and innovate to improve products and serve customers with new technologies. At the same time, criminals are improving their methods to exploit the vulnerabilities of these new technologies. 

Impact of a Data Breach

The Ponemon Institute released its annual Cost of a Data Breach report (1) last month, including updated statistics on data breaches: 

  • Average total cost of a data breach increased 10% with a per record cost of personally identifiable information of $180
  • Average number of days to identify and contain a data breach of 287 days 

We see news of attacks every day. 

CNA Financial Corp., one of the country’s largest insurance companies, suffered a ransomware attack in March 2021. The company paid a ransom of $40 million in bitcoin. The criminals took advantage of a small lapse in security controls by convincing a single employee to accept a fake web browser update from a commercial website.

Recently, an Iowa-based farm services provider was attacked with ransomware the week that farmers were preparing for harvest. This is an interruption to a critical component of our infrastructure and could disrupt food delivery. 

A death resulting from a ransomware attack on a hospital had not been reported until October 2021, when a lawsuit was filed against the medical center alleging the hospital’s monitoring systems were down due to ransomeware, which didn’t allow doctors to identify issues that resulted in a baby’s death.

Attacks Are Coming From Many Sources

Further complicating the matter, cybersecurity attacks are coming from a variety of sources: 

  • Malware
  • Ransomware 
  • Phishing emails containing a malicious attachment
  • Distributed denial of service (DDoS) attacks
  • Insider threats – either purposefully or accidentally disclosing data, and lost laptops or other mobile devices 

There are even platforms such as ransomware as a service[i] (RaaS) that make it simple for anyone with little to no technical skill to launch a ransomware attack. Business email compromise and fraud scams are also on the rise, where criminals use a spoofed email or compromised account to trick employees into initiating a money transfer to a fraudulent account. 

The Ponemon report identified compromised credentials as the most common initial attack vector, responsible for 20% of breaches. 

Regulators Are Taking Action

The NAIC Insurance Data Security Model Law (Model 668) has been adopted by 18 states as of August 2021. 

The US Treasury has recommended that a uniform data security regulation be adopted by 2022. State adoption timelines usually include one year for the implementation of an information security program and another year to meet third party service provider risk management requirements. Check with your legal council to understand current and upcoming cybersecurity requirements in the states you are licensed to operate. 

What Should You Do?

Companies should start with selecting a cybersecurity framework to help guide the effort and ensure critical elements are not missed. 

Examples include: 

  • NIST cybersecurity framework
  • Center for Internet Security top 20 controls
  • COBIT
  • HITRUST Cybersecurity Framework (CSF) for healthcare organizations and business associates to meet HIPAA compliance
  • ISO 27000 – cybersecurity framework

A risk assessment is the basis of your information security program and should be performed at least annually, or as material changes to people, processes and technology occur to identify new risks or compliance gaps. 

An independent third party may facilitate the risk assessment process to help provide a fresh perspective and insights from similar organizations. They may also perform testing of your internal control processes to identify design and operating effectiveness weaknesses. Action plans resulting from the risk assessment should be assigned owners and plans to remediate monitored. 

Have Additional Questions?

Reach out to the Johnson Lambert cybersecurity team today and learn how we can help your organization. 

Resources

(1) “Cost of a Data Breach Report 2021” Ponemon Institute and IBM Security

Kim Mobley

Kim Mobley

Partner