<img src="https://ws.zoominfo.com/pixel/kZxG1sNctrruFoZSPoVD" width="1" height="1" style="display: none;">
Contact Us
Book A Demo
Menu
Book A Demo
Contact Us

How the Cybersecurity Executive Order Impacts the Insurance Industry

The Executive Order on cybersecurity is building on the work done previously by past administrations, and the increasing pressure on insurance companies and others to take action to prevent cybersecurity attacks. In cases where they cannot be prevented, the damage must be mitigated and a response must happen quickly.

As the Executive Order states: "The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.  The Federal Government must improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors."

To do so, the insurance and other industries are mandated to take certain actions: "The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace."

Protecting the Data the Industry Gathers

First, the most important element is the protection of all the PII insurers gather about their customers. To underwrite policies properly, this data is needed, but it makes the insurance industry a ripe target for cybercriminals.

A recent survey of twenty insurance company security professionals asked them a single question: “What are the top security considerations for insurance companies and how do they mitigate [them]?

The top answers all talked about securing all of the data the industry collects, but also establishing new technology and security protocols. 

Adapt Technology and Policy to Meet Current Threats

The first step is to improve technology and policies. These two things must work together. Technology alone is not enough. Company policies must be designed to prevent cybersecurity events, and establish standard operating procedures to guide any response. Without both in place, the potential risk is much higher.

The Executive Order speaks directly to this, and states, “Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life..” The issue has grown beyond the time for case studies and eventual development and implementation.

Good RMIS software allows companies to have all data in the same place to analyze and secure data more effectively. This equals better protection, but as the executive order states, this is not enough by itself. But good risk management software is no substitute for a good product.

Products must be built and operated safely, states the executive order. This has been highlighted by companies who have faced not only cyber attacks but other technology failures. Southwest Airlines has currently highlighted this, with Captain Casey Murray, President of the Pilot's union telling NPR regarding recent extensive flight cancellations and other issues: "We have been operating with older technology that has not scaled with our business growth. We have attempted to update our systems, but we have not done enough."

Such old systems leave companies vulnerable and can open their insurers to greater risk. Not only must insurance companies update their own software and systems, but must evaluate the products the clients they serve are using as well. Ultimately, this is a responsibility to reduce risk not only for themselves, "but for the American people and the Federal Government."

Removing Barriers to Sharing Threat Information

The next section of the Executive Order goes on to discuss the sharing of threat information as it happens, both from the Federal and private sector, but specifically with those companies who work with the Federal government or their contractors. This includes insurers who work in this arena. The order calls for transparency and sharing of information.

In other words, the private sector must collaborate with others in their industry and with government agencies. It's never been advisable for companies to hide attacks until they can get them under control, but this order mandates openness and the insurance industry must respond accordingly. 

“The insurance industry has come a long way in its understanding of cyber terrorism, (Hostile Cyber Activity) and cyber war, and assessing how to insure such risks,” according to a report by the Geneva Association, an insurance-industry think tank. “To expand the limits of insurability, insurers need to be proactive in assessing feasible options for sharing cyber risks, including with governments via [public-private partnerships]. Such collaborative efforts between insurers and governments will enable cyber protection gaps to be narrowed and ensure the full societal benefits of cyberspace can be realized.”

A Coming Federal Insurance Program?

As a part of this order, the Federal government will take several actions. The first is to appoint a National Cyber Security Director, a new position designed to consolidate efforts to control and respond to cyber-attacks. The second is to establish a Cybersecurity Review Board. In addition, new regulations have been proposed to ensure risk management and security software does what it says it will do. This includes the establishment of labeling directions. For insurers this means two things:

  • They must use software that complies with the new standards and regulations.
  • They must ensure that their clients who they insure do the same.

But there is talk that with all this consolidation, there may be a need for a new Federal Insurance program to respond to cyberattacks and help to cover those costs similar to what the FDIC does for banks. While at the moment, this is only conjecture, most insurers and other companies applaud the move to more standardized regulation and industry standards for information security. 

Added Urgency in Cybersecurity

The insurance industry has indeed made progress. But the recent Executive Order adds urgency to that equation, an urgency that can’t be ignored. 

What does the future holds for insurers? As security evolves, so will the work of bad actors, and perfect protection will always be a moving target. As the Executive Order states: "The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.  In the end, the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced."

 
 
 
 

May 2, 2023

 | Originally posted on 

Subscribe by Email