As data breach incidents have steadily increased over the past several years, cybersecurity has become a top priority for insurance executives, leading to greater involvement from their governing boards, more emphasis on incident response and increased hiring of cybersecurity specialists.
Most insurers have shifted cybersecurity oversight to a CISO or a CIO, according to a survey by Moody’s Investors Service, with 95% of respondents indicating that senior executives receive reports at least quarterly, including 23% that report weekly. More than half indicated that cybersecurity concerns are being reported at the board level on a quarterly basis.
The survey, which featured responses from 56 insurers across a range of industries, including healthcare, also found that executives are more involved in incident response plans. In 2015, nearly 40% of respondents had activated an incident response plan or escalation to executive management, compared to less than 15% in 2012.
"Cyberattacks can have serious tangible consequences for insurers, exposing them to legal actions, regulatory scrutiny, fines and other expenses," Moody's Senior Vice President Alan Murray said in an announcement detailing the report. "In addition, an insurer's reputation is at stake."
Some of the other notable survey results included:
- Nearly two-thirds of respondents said they had increased cybersecurity outsourcing over the last three years, a trend driven by access to specialty expertise and hiring challenges.
- Hiring for cybersecurity positions has also surged since 2012, with an annual growth rate of nearly 30%, twice as much as overall IT hiring.
- Cybersecurity priorities are divided equally among a range of issues, but some of the top concerns include detection and monitoring, data loss prevention and access rights and controls.
Last year was a banner year for EHR security breaches, with an increasing number of threats tied to hacking, ransomware and actions from internal employees. A report released in January indicated that the 2015 Anthem hack was most likely perpetrated on behalf of a foreign government by exploiting security weaknesses that were common within the health insurance industry.
This week, the Government Accountability Office (GAO) reiterated its ongoing cybersecurity concerns across federal agencies, pointing to specific weaknesses in hospital medical records and state-based insurance marketplaces.