March 28, 2018 by David Gambrill
Insurance organizations may be good at protecting their own clients’ data, but can they prove it?
“In general, I would say that insurers are good at securing their data,” French Caldwell, a former advisor to the White House on cybersecurity, told Canadian Underwriter in an interview Tuesday. “What they may need to take a look at is, ‘Can you prove to others that you can?’”
Or more specifically, can they prove it to regulators?
A very active global regulatory environment around cyber means that insurance organizations will need to prove not only that they are good at protecting client data, but also that they have adequate cybersecurity in place for when an “inevitable” cyber breach occurs, Caldwell says. Caldwell is chief evangelist at MetricStream, a governance, risk, and compliance apps company based in California.
Regulators around the world have either passed — or are just about to pass — laws calling on insurance and other companies to prepare themselves for a possible data breach. Examples include:
The regulators will be looking for more than just whether insurance organizations can protect their clients’ data, Caldwell said. “You will have a data breach, just assume it,” he said. “No matter how good you are [at protecting data], you will have a breach.”
Insurance organizations also should be shoring up their cybersecurity responses, he said. That includes asking themselves the same sorts of questions that they would be asking of their commercial cyber clients. For example:
Caldwell observed that property and casualty insurance organizations routinely provide cyber risk advice to their corporate clients. But do they practice what they preach?
“It’s the old saying about the cobbler’s children having no shoes,” he answered. “There’s a lot of validity in that statement.”