Industry Insights • 10 MIN READ

Cyber Security to Enhance Compliance. What the Insurance Sector Needs.

by Eleanor Barlow • Jun 2023

The Insurance sector, both financial and healthcare related, enforce strict compliance and regulatory requirements. From an industry perspective, this means they must be exceptionally capable when it comes to their cyber security strategy, have the right resources in place, and zero trust policies with regards to data breaches.

A key challenge in the industry is that not all insurance companies are IT companies. People within these companies uphold business positions, not security titles. They are not in the business of running security stacks, and monitoring. Yes, while some organisations might have teams, they are always thin on those resources and the skills that are required are often lacking.

Healthcare Insurance Regulatory Compliance

With regards to insurance companies based in healthcare, these organisations collect and hold a vast amount of information, including PII data, first and last names, dates of birth, addresses, and so on. In the US, social security numbers are stored, as is information regarding details around health history. As a result, governmental regulatory requirements are enforced on all insurance companies collecting this sensitive information. This includes HIPPA requirements around data privacy, such as Protected Health Information (PHI), which includes the protection of healthcare data and the processes used.

Despite the fact that ‘91 percent of hospital administrators considered the security of data as a top focus last year’, a concerning ‘62% feel inadequately trained and/or unprepared to mitigate cyber risks’ that could impact their healthcare organisation. This data comes from a report by Abbott Laboratories. Read more about cyber security within the healthcare industry, here.

Financial Insurance Regulatory Compliance

Financial based insurance companies are heavily controlled under compliance and regulatory systems that differ from requirements in other industries. An example of this is the Anti Money Laundering Act (AML), and Bank Secrecy Act, (BSA). According to Fraud Detection Company, ComplyAdvantage, ‘The Bank Secrecy Act is intended to not only aid the fight against money laundering but to ensure that banks and financial institutions are not used as tools to facilitate it. Under the Bank Secrecy Act, institutions must work to detect and monitor potential money laundering activities, and report them to the authorities so that AML enforcement actions can be taken.’

‘All insurance organisations must remain compliant with these acts, otherwise they will be shut down, and unlikely to ever recover. Companies who do not uphold these regulations will be on the front page of the news. They will be finished. Compliance is essential. The right cyber security strategy is essential to work with these compliance requirements. Too much is at stake.’ – S.C.- Head of Innovation, SecurityHQ

This is why ‘controlling the users, the logs, and the security within insurance companies is essential to meet these requirements. This is especially true when regarding data protection and information security. Even more so when this data concerns the handing of financial, personal and/or client-sensitive information.’ – Threats Impacting the Insurance Sector

MSSP Support to Enhance Compliance

While enhancing your cyber security with a Managed Security Service Provider (MSSP) is a great step in the right direction, not all MSSPs will be focused on compliance. An MSSP can be beneficial to take over the monitoring 24/7, and act as a first line of defense. Most MSSPs will say ‘We will run MDR for you!’ which is great, but what insurance companies, both in finance and healthcare, really need is alignment of security services with the regulatory requirements that are demanded.

“SecurityHQ are among only a small number of organisations to have achieved CREST’s Security Operation Centre accreditation and demonstrates the high maturity of our service offering. SecurityHQ passed the audit with a CMMI of the highest maturity rating of 5’s and 4’s across the board and measured a range of service attributes from service delivery, assurance, threat intel, investigation, and detection capabilities.” – Chris Cheyne, CTO, SecurityHQ.

To comply with the highest audit standards, SecurityHQ ensures enriched compliant processes, and maturity with regards to customer service, escalation management, and information management. CREST member companies undergo regular and stringent assessment, whilst CREST certified individuals undertake rigorous examinations to demonstrate the highest levels of knowledge, skill, and competence. To ensure currency of knowledge in fast changing technical security environments, the certification process is repeated every three years. Read the full press release, here.

Furthermore, as a part of the legislative framework of the European Union, the Digital Operational Resilience Act (DORA) aims to set a common standard for managing operational risks, such as cyber threats, system failures, and other operational disruptions posed by digital information and communication technologies. With an aim to foster the potential of digital finance, the act ensures that financial entities, including banks, crypto asset providers, data reporting providers, and cloud service providers have robust and effective risk management practices to manage, mitigate, and prevent these risks.

Next Steps

Insurance companies need vendors who speak their language, who can understand their business, their goals, their values, where they sit in the market, and more. To make the entire process seamless, SecurityHQ is committed to working with you to understand your vulnerabilities, and to enhance your business cyber security posture.

View our comprehensive list of services to learn how we can address your unique cyber security concerns. Or speak to a cyber security expert, to learn more.