Due to the sensitive nature of the data they collect, insurance companies are subject to strict data protection regulations, often more so than other businesses. Under the EU’s General Data Protection Regulation (GDPR), a significant chunk of the customer data they need to collect for insurance purposes is part of its special category data. In the US, a lot of insurance data falls under the scope of specialized laws such as the Health Insurance Portability and Accountability Act (HIPAA), the Graham-Leach-Bliley Act (GLBA), or Sarbanes-Oxley Act (SOX). These regulations bring with them considerable fines in case of noncompliance.
Data breaches can be especially damaging to an insurance company’s reputation and bottom line. Trust is an essential part of every successful insurance business and, if it is compromised, customers are likely to turn to other companies with better standing.
Beyond regulatory requirements, the insurance industry is one of the most attractive targets for cybercriminals, not only because of the amount of data it collects but also because it opens the door to insurance fraud. These kinds of attacks do not always exploit vulnerabilities within a system, but increasingly target careless employees through phishing and social engineering.
Add to this the mistakes employees themselves make through pure human error and it is clear insurance companies looking to secure their data must look both to internal and external threats when developing their data protection policies. Here are our tips for the insurance industry:
1. Protect data on the endpoint
Insurance companies tend to have a very mobile workforce. From insurance inspectors making field visits to sales representatives doing on-site presentations or evaluations, many employees venture outside of the office on business. In today’s digitized work environment, when they do, they take their work computers with them and access them remotely. Leaving the security of the company network can spell disaster for data: many data protection tools are applied at the network level and therefore leave devices vulnerable once they are outside it.
The solution is fairly easy: companies must protect data directly on the endpoint. This means that software is installed directly on a computer and ensures security continues wherever a device is physically located. In this way, whether employees connect to a public wireless computer on the go or leave their devices open where third parties have access to them, data protection policies will ensure that sensitive data stays secure.
2. Protect data on portable devices
Another frequent blind spot of data protection strategies is portable devices. Many data protection strategies focus on internet-based threats and neglect the easy way in which data can be simply copied onto a USB stick, a laptop can be stolen from an employee on his way to a business meeting or a phone can be forgotten in a car or coffee shop.
The best way to protect against this kind of data theft or loss is encryption. By ensuring data on portable devices is always automatically encrypted, that hard drives are encrypted and that remote wipe and encryption are activated on mobile phones, companies can help mitigate the threat. For portable devices, device control policies can also help block their connection or regulate which devices are allowed to connect to a computer.
3. Use compliance profiles
Since the advent of the GDPR and its record-breaking fines, compliance with data protection legislation has become a key concern across all sectors. And with new regulations emulating the European law popping up across the world, it seems no organization can escape it. In some countries, like the US, insurance companies must often comply with specialized legislation like HIPAA, GLBA, and SOX, but also international standards like PCI DSS.
This increased need for compliance has prompted the development of data protection policy profiles that make it easier for companies to use tools such as Data Loss Prevention (DLP) solutions in their compliance efforts. What this essentially means is that these tools come with tailor-made profiles for specific laws such as GDPR, HIPAA, etc. which allow companies to make the best of their DLP tools without having to go through the process of using legal requirements to build their own policies.
These profiles do not ensure compliance by themselves but significantly contribute to it. Complex cybersecurity frameworks that combine data monitoring, DLP tools, and antivirus software, among others, are needed to reach full compliance, but these profiles make data loss prevention easier to implement as part of data protection strategies.
Frequently Asked Questions
Cybersecurity threats are among the most important risks facing the insurance industry. Common cyber threats affecting insurance providers include both external attacks such as phishing or malware infections and insider threats caused by human error or malicious employees. Attacks on insurance firms can result in significant damages such as fines, legal fees, or lawsuits, as well as in the loss of customer trust. Since the insurance business revolves around trust, a major breach can have serious impacts on an insurer’s brand and market value.
A risk assessment, in the context of cybersecurity and data protection, is the process of identifying, analyzing, and evaluating the risks that a company’s IT infrastructure and data face. They are useful not only for compliance with data protection regulations but also to help organizations identify key vulnerabilities and build efficient data protection strategies to meet them.
- Sarbanes-Oxley Act (SOX): applies to all publicly traded companies in the US and it also regulates accounting firms that audit companies
- Gramm-Leach-Bliley Act (GLBA): applies to all companies that offer consumers financial products or services like loans, financial or investment advice, or insurance
- Payment Card Industry Data Security Standard (PCI DSS): applies to all organizations worldwide that accept, transmit, or store any cardholder data
- General Data Protection Regulation (GDPR): applies to all organizations collecting and processing personal data of individuals residing in the EU, regardless of the company location
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.