LOUISVILLE, Ky. — Everyday, there are cyberattacks, and we continuously move more of our lives online where we are vulnerable to attacks. Insurtech is no stranger to these sensitivities, as was the case with insurance technology startup company BackNine, which recently had a major security breach. Statistics show that human error is responsible for approximately 88% of all data breaches. By some counts, there are more than 2,200 cyberattacks per day — that equates to about one cyberattack every 39 seconds. According to a 2021 IBM and Ponemon Institute study, a breach can cost a company $4.24 million, which is 10% more than what it cost in 2019.
“There will be more attacks, and businesses have to prepare for and anticipate the future,” said Jason Thomas, chief technology officer for Traffk. “While a lot of companies think they’re safe because they don’t have web-facing applications, it actually opens them to more attacks.”
BackNine’s unsecured server exposed more than 700,000 insurance applications. That server, which was hosted through Amazon’s cloud service, was misconfigured to allow anyone access to it. Amazon storage servers are private by default, meaning someone had to manually adjust settings so that none of the data was encrypted. Essentially, a seemingly small human error left highly sensitive, personal, medical information of applicants and their families, exposed. That includes social security numbers, medications, and even driver’s license numbers.
Thomas says it's important to pay attention to data breaches at other companies in order to understand how your business might be vulnerable. Having your own proprietary software so as to not rely on an insurance partnership for security software can give your business more control over security settings. It also means being able to make quick adjustments based on how other insurance technology has been breached.
Digitization can also be used to improve at-risk insurance enrollment, but that relies on trusting that your medical data will be kept safe. The information needed to create these instant life insurance quotes many companies provide now means handing over sensitive identifying information that can put consumers at risk of identity theft. It’s imperative as Insurtech grows that people are confident their private medical information will be treated with the care it requires.
Insurance entails collecting personal medical data and history, and that information is protected by both HIPPA and consumer privacy laws. Data breaches can put insurance partnerships and companies at risk of not complying with those necessary consumer protections. Cloud technology can help protect data privacy with increased safeguards and security at every endpoint.
Artificial intelligence and machine learning are also part of the solution. Humans cannot respond to threats as quickly as AI and ML. However, those technologies cannot stay up to date on how other industries have been breached, which is where humans can help. Robotic process automation (RPA) is a software technology that makes it easy to build, deploy, and manage software robots that emulate human interactions with digital systems and software. Thomas said RPA is one part of the solution, but it’s only as good as the human who programs it. Despite all of these tools, top industry researchers have found that human error is still very much the driving force behind an overwhelming majority of cybersecurity problems.
Thomas has some advice on what to do after a security breach.
- Notify everyone about the breach, including customers and clients.
- Do background checks for up to one year for the people affected.
- Correct the error that caused the breach.
- Protect data on the endpoint — software should be installed directly onto a computer to ensure security continues no matter where the device is located.
- Protect data on portable devices by using encryption.
- Use compliance profiles.
Attacks are going to continue and will likely increase both in number and complexity. Companies are looking into software as a service (SaaS) and platform as a service (PaaS) as a way to better protect consumer data and information. This technology is easy, cost-effective, and scalable, and allows room to experiment and update it as new types of threats are discovered. There is more data to protect, making insurance technology security all the more essential. Insurance companies have to be diligent, as no system is impenetrable.
However, no matter the amount or quality of security software, human error is always a factor. It is then imperative that businesses continuously educate and train employees in the latest consumer and client data security measures.
“The solution lies in insurance companies taking steps to ensure consumer data is safe,” Thomas said. “Because the threat of cybersecurity isn’t going anywhere.”