The Texas Lawbook

Free Speech, Due Process and Trial by Jury

It’s Always Phishing Season for Cyberattacks: Insurance Carriers are a Big Catch for Cybercriminals

“There are only two types of companies: Those that have been hacked, and those that will be.” — Robert S. Mueller III, former FBI Director

Cyber incidents can expose businesses to significant financial and reputational costs, damage their competitive edge and potentially put companies out of business entirely. Consumers depend on insurance companies to provide protection and support in trying times, but what happens when even that insurance company becomes vulnerable to cyber risk? Just like any other business, it is critical that insurers assess their own cyber risk.

In this constantly evolving digital age, where cybercrime is more profitable than ever for scammers and remote working exposes companies to additional cyber risks, businesses are frequent targets for cybercriminals. Insurance companies are no different. Every day, individuals and businesses entrust vast amounts of private, sensitive information to insurance companies, including social security numbers, financial records, business trade secrets, private information of company executives and private health information. There is an inherent trust consumers place in their insurance carrier to safeguard their data.

As insurers increasingly shift towards digital mediums to foster customer relationships and increase efficiency, the attendant cyber risk is palpable. A data breach for an insurance company yields catastrophic risk, including financial and reputational damage — in addition to potential legal exposure, fines and penalties. The risk of cybercrime erodes the trust a current or prospective consumer has in its insurer. And because insurance companies can be a treasure trove of profitable, invaluable information to hackers, proper protection from these risks is vital.

A 2022 study from Gartner predicted that “45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021.” With the elevated risk of cyberattack, insurance carriers and businesses alike can take practical steps to mitigate their cyber risks:

  1. Purchase cyber insurance. Cyber incidents can be financially catastrophic to any business. A typical general liability insurance policy generally excludes coverage for cybercrime. While errors and omissions insurance may provide coverage for some cyber incidents, it is typically narrow in scope. Thus, insurance carriers need to obtain comprehensive cyber liability insurance to mitigate cyber risk. Cyber insurance can be purchased for first- and/or third-party coverage. First-party cyber coverage includes protection for financial loss to the business itself. Carriers should ensure first-party cyber coverage includes business interruption losses following a cyberattack, extortion payments, costs to investigate the cyber incident and legal costs, as these are not necessarily included in every cyber policy. Third-party policies provide cyber coverage for third-party claims or lawsuits brought against a company for damages following a cyber incident. It is critical to ensure any third-party policy includes coverage for payments to consumers impacted by the cyber incident, claim and settlement expenses, damages resulting from potential trademark or copyright infringement and costs related to responding to regulatory inquiries following a cyber incident.
  • Enforce cybersecurity protocols. Insurance carriers are advised to refocus their outlook on cyber incidents to an expected risk instead of thinking “it could never happen to us.” This includes proactively enacting and enforcing clear and written cybersecurity protocols. These protocols should include maintaining technical controls such as firewalls, intrusion detection, regularly updated antivirus software, encryption standards, password requirements, multistep authentication processes to authenticate a user and device before accessing internal information, access privileges, monitoring network traffic and mandating the use of a virtual private network. Carriers should also aim to work with third-party vendors that employ high security standards to avoid an indirect cyberattack. Insurers increasingly utilize vendors to perform parts of their operations, which increases the “attack surface” for cybercriminals by allowing them to exploit the vendors’ security systems to reach the insurer’s data.
  • Promoting a culture of security. Cyber incidents oftentimes occur because of human error. With the recent trend of encouraging hybrid or full-time remote employees and the advent of digital nomads, training and protocols are even more critical. Working from home or in public spaces such as hotels and coffee shops is inherently less secure, allowing hackers easier access to vitally important and sensitive data. Carriers should have systematic cybersecurity training and protocols in place for their employees. It is advantageous to provide training that educates employees about the tactics cybercriminals use to infiltrate a workplace, teaches them how to identify potential cyberattacks and highlights the importance of vigilant awareness of cybercrime. Similarly, a company should maintain protocols for employee compliance with training materials and remote working guidelines — as well as disciplinary actions for violations of these very protocols.
  • Develop an incident response plan. Maintaining a cybersecurity incident response plan provides readiness and certainty in the face of a potential cyberattack. This plan may include the mobilization of a response team including industry experts to swiftly evaluate and assess the cause and potential impact of the cyberattack, reporting to local law enforcement, evidence gathering, a containment strategy and reporting this information to the people who are potentially impacted.

Development of internal practices and a strong cyber incident response plan is essential following the U.S. Securities and Exchange Commission’s 2023 cybersecurity regulation enactments. These rules changes require Form 8-K disclosure of material cyber incidents within four business days after the company first learns of a potential cyber incident. The disclosure must include the nature, scope and timing of the incident, as well as the potential material impact on the company. In addition, the new SEC rules require annual disclosure of a company’s cybersecurity risk processes, including how it assesses, identifies and manages material cybersecurity risks, as well as the likely impact of a cyber incident on the company. Companies will be required to disclose the steps to be undertaken by a board of directors and management to alleviate material cybersecurity threats. These disclosure requirements underscore the need for robust internal, and continuously evolving, cybersecurity practices as cyber risk prevention remains at the forefront of risk mitigation.

Cybercriminals are always seeking new ways to infiltrate the sensitive and private data routinely maintained by insurance companies. While not all cyberattacks can be prevented, carriers should invest in cyber insurance — and in their teams —  to thwart cybercrime attempts, especially following the SEC’s recent cybersecurity protocol disclosure requirements.

Daniel DiLizia is a shareholder at Segal McCambridge Singer & Mahoney. He may be reached at DDiLizia@SMSM.com.

©2024 The Texas Lawbook.

Content of The Texas Lawbook is controlled and protected by specific licensing agreements with our subscribers and under federal copyright laws. Any distribution of this content without the consent of The Texas Lawbook is prohibited.

If you see any inaccuracy in any article in The Texas Lawbook, please contact us. Our goal is content that is 100% true and accurate. Thank you.

© Copyright 2024 The Texas Lawbook
The content on this website is protected under federal Copyright laws. Any use without the consent of The Texas Lawbook is prohibited.