We are well into the COVID-19 pandemic and the resulting recession. We are all busy worrying about running key processes (e.g., claims adjudication, call center, taking payments) from people’s homes. However, there are some other areas of concern that may not be top of mind but will become increasingly important. The first of these is cybersecurity.
A good security program consists of the following:
- Security governance policy development
- Security engineering
- Maintenance, monitoring, and testing
- Security incident response
- Risk analysis
- Providing advice and support
- Application security
- Data security
- Computer forensics and investigations
- Security awareness
- Communicating the state of security
These elements need to continue to operate during this pandemic. The pandemic is an opportunity for the bad guys and gals to exploit environments and steal data. Bloomberg reported recently that the US Health and Human Services Agency experienced a cyberattack, most likely by a foreign actor. People are now working from home PCs in large numbers. Are these PCs coming in via VPN, or are they company-issued machines with proper protections?
A zero-day malware could place a keylogger on a person’s home PC, infecting your PC, other people’s PCs, and putting the data and passwords for the company and personal data and passwords for your staff at risk. A VPN connection may or may not protect against this issue.
Let’s think about medical data. Telehealth will open to people on Medicare. We may see the same for carriers providing workers’ comp coverage. Could the medical data be stolen if the PC or Telehealth apps are not appropriately secured? What about ITO and BPO support staff located in foreign countries. Can these folks work securely from their homes?
Historically, working from home was not allowed for offshore workers due to security concerns. There is the potential for fraud and misinformation related to embedded links in emails that may appear to have a legitimate relationship to the pandemic (e.g., a fake government alert).
The second of these areas of concern are regulators. The NAIC has set up a central website to coordinate regulatory information for carriers. You may have exclusions built into your life insurance, workers’ comp, or business interruption policies that you believe will prevent large numbers of claims. However, this may not be the case. New Jersey is looking at passing legislation that would force insurers to pay COVID-19 business interruption claims.
Insurers will need to document the processes they are putting in place now to support critical insurance business capabilities so that they can demonstrate they are remaining compliant with regulations, including NYDFS and CCPA. One needs to ask if all of the processes in place to ensure regulatory compliance will even continue to operate during the pandemic.
This is a time of change. During this time, we need to think about the immediate concerns as well as other, less obvious areas that could have just as much impact on the survival of insurance carriers or their reputations.
Add new comment