Over the course of 2016, the total number of data breaches occurring in the US totalled 980 separate events according to data collected by the Identity Theft Resource Centre; over 35 million records were stolen just in those 12 months.
In the last decade, there has been a clear and growing trend that has emerged regarding the sectors that are most at risk of data breaches. In the US, the number of breaches occurring in the education, government, and, to some extent, finance industries has contracted or remained roughly the same. Contrastingly, the business sector (including retail) has experienced an increase in the number of breaches, whilst the health sector has witnessed a significant upward trend.
It is often very easy to see that there is a link between institutions that hold money and how they can be a target for cyber crime. But the idea that cyber attacks are solely for financial gain is no longer as true as it used to be. Hacktivists and state actors targeting government bodies have shown that the world of data theft has evolved beyond that.
A growing trend that the insurance industry should be looking at is which sectors are most at-risk based on the type of information that is being stolen?. Where large banks and financial institutions are able to throw large sums of money at security systems and protocols that attempt to mitigating the effects of cyber attacks, institutions and sectors that don't have those resources are more open to an attack, and more often than not, less able to respond until way after the event.
Where the more traditional concerns would relate to the theft of financial data (including account numbers and card details etc.), there appears to have been a shift towards the violation of more personal and medical/insurance related data. One explanation points to the value of the records being targeted and stolen. Reports have suggested that, on the dark-web at least, records containing usernames and passwords can reach USD 5 per record, and those for social media accounts can attract up to USD 10. In contrast, an individual's medical records can be valued at up to as much as USD 50 each. The records being stolen are more valuable monetarily and often held by businesses that can't afford to, or are unaware that they should, employ more focused resource to the protection of consumer data.
Some of the companies suffering breaches just in 2016 were; HSBC bank, Aon Hewitt, Federal Deposit Insurance Company (FDIC) and even Walmart. One lesser known story was the breach of 21st Century Oncology, a private medical company based in Florida. A hacker stole over 2.2 million patient records including Social Security numbers and insurance information. The Aon Hewitt incident was reported at 2,892 records and included first and last names and employment status. We have seen in recent years too the huge-scale breaches suffered by the likes of Anthem and Primera Blue Cross.
Reports put the average cost of a data breach pay-out by insurers at close to USD 5 million and the average pay-out by the insurance industry for breaches in the healthcare industry equalling just short of USD 1.5 million. It is paramount for insurers to identify how at-risk their policyholders are to a large-scale breach and if they have an effective risk management strategy in place to deal with this when it occurs.
An obvious and favoured target of data breaches, the banking industry responded early to the threat of cyber liability with the implementation of robust security measures, leaving insurers at risk of being seen as the soft target for valuable information. With the industry heavily reliant on retrieving sensitive data from policyholders to assess risk, the industry must prove to their clients that they too are subject to the same stringent data security measures to ensure the relationship of trust is maintained.