{"id":22631,"date":"2018-12-20T17:00:56","date_gmt":"2018-12-20T17:00:56","guid":{"rendered":"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/?p=87736"},"modified":"2018-12-20T17:00:56","modified_gmt":"2018-12-20T17:00:56","slug":"the-challenges-of-adopting-a-consistent-cybersecurity-framework-in-the-insurance-industry","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/the-challenges-of-adopting-a-consistent-cybersecurity-framework-in-the-insurance-industry\/","title":{"rendered":"The challenges of adopting a consistent cybersecurity framework in the insurance industry"},"content":{"rendered":"
<\/div>\n

As hacking events have increased in number and severity, we in the cybersecurity community have united around common strategies that all organizations can implement to reduce their risk. Universal best practices provide organizations with many useful tools to protect their businesses. But what often gets overlooked in these discussions are the unique security challenges that each industry faces, and the tailored solutions required to address those issues. This is an area of interest to me, and lately I\u2019ve been fascinated by the path that the insurance industry is carving out when it comes to cybersecurity. Today, I\u2019ll discuss recent activity by the U.S. insurance industry and the ramifications and impact of these initiatives. In future weeks, I\u2019ll offer my insights into how other industries are confronting rising security and compliance risks.<\/p>\n

Before we dive in, let me provide a little context into why I think we should segment out insurance as an area of focus. While in many people\u2019s minds, the insurance industry is considered simply a sub-sector of the financial services sector\u2014nothing could be further from the truth. For those not as familiar with these important nuances, it\u2019s important to point out that the insurance market has its own business needs, technology requirements and adoption cycles, and buyer personas as compared to banking and capital markets. Products (security-related or otherwise) that might resonate with a banker or IT professional in banking may not be relevant to an insurance buyer, just as products that the insurance buyer finds valuable may not appeal to the banking and capital markets. It\u2019s therefore imperative that we take stock of the insurance market\u2019s efforts and endeavors when it comes to protecting insurers, their customers, and their data.<\/p>\n

Aligning behind a cybersecurity framework in a fragmented, state-by-state regulatory environment<\/h2>\n

In the last few years, the U.S. insurance industry has taken several steps to work on cyber issues. The most obvious example is the recent moves by the National Association of Insurance Commissioners (NAIC) to promote their Insurance Data Security Model Law<\/a>. This model legislation establishes a legal framework to guide state governments as they consider enacting laws to require insurance companies to implement cybersecurity protections. In general, the NAIC has become more outspoken<\/a> on cybersecurity issues (see, for example, their 2015 Cybersecurity Bill of Rights<\/a>) and has been working to ensure a consistent approach<\/a> within the U.S. market.<\/p>\n

If we look at these various activities, a few key points emerge that I think are valuable and worth keeping track of in the coming months:<\/p>\n