Network and system monitoring are an important part of any well-formed security program, not to mention a requirement for some industry regulations. To understand what we mean by monitoring and how better insight can lead to a more prepared organization, I am going to break down the topic for business and system owners.
This week Tandem Cyber Solutions had the privilege of presenting to the Lowcountry Senior Network on the topic of “Healthcare through the Eyes of an Attacker”. We demonstrated the importance of a strong password and how easy an attacker can take over a health care system. Hopefully LSN enjoyed the time as much as we did. To follow-up on the information in the presentation, we created a list of items that will substantially reduce the risk of any Health Care Business.
Co-Founder + Forensic Expert
My trip to Columbia, SC was a great opportunity to sit down with others in the insurance sector and get some clarification from the Department of Insurance (DOI) about the Insurance Data Security Act (IDSA). Melissa Manning and Kendall Buchanan, DOI Representatives, provided answers to questions submitted by insurance professionals and gave attendees tips on how to stay informed of the latest information. Below are important details shared with attendees during this meeting.
Inclusion & Exclusion
The Insurance Data Security Act (IDSA) specifies those in the insurance sector whom fall into the classification of a “Licensed Excess”, “Surplus Line Carrier”, and “Captive Agents”. More definitely, inclusion starts at ten or more employees for the insurance entity and can be avoided if any of the above parties were fully covered under a parent company’s Information Security Plan(ISP).
For those agencies that are covered by HIPAA , IDSA compliance is inherent because the Health Act is more stringent. The Department of Insurance is drafting a to certify organizational exclusion from the Insurance Data Security Act.
Access & Encryption
Security fundamentals dictate that organizations should take a “least privileged” approach to user access and the IDSA has not strayed far from that approach. In fact, under the guidelines of the Insurance Data Security Act, companies should restrict access to Non-public Information to those employees or third-party entities who have a legit need to access it.
Encryption is unfortunately a topic where IDSA diverges from common information security practices. The security act does not require that companies encrypt any of their data or information. However, a company should still implement encryption because having data locked away could save the organization millions in fines and costs from a breach. Encryption protects the data and in the case of theft is not considered a reportable event by the Department of Insurance unless the key is also stolen.
Third-party Services Providers
If third-party service providers have access to non-public information, insurance companies will need to continually assess their relationship with the service provider. As a reminder on non-public information, the data is defined in broad terms as sensitive business-related information of the licensee or the private information of the client. I encourage any entity covered by this act to truly understand non-public information as defined by DOI because those whom have access to it, must meet the requirements of this act. Furthermore, this forces insurance companies or licensees to take responsibility for ensuring third-party services providers are compliant.
A little unclear at this time are the ramifications when a third-party service provider fails to cooperate with the insurance licensee to develop a comprehensive information security plan. Does an insurance licensee have to find a new provider or move the services back within their control? Hopefully as this act matures like HIPAA, these questions will be answered.
Insurance companies must conduct an annual risk assessment, which is akin to a standard information security assessment. While this act does not specifically lay out the steps required to be completed during the risk assessment, it does define tangible steps or activities needed based on the results.
Additionally, the thoroughness of the risk assessment depends upon the complexity of the entity’s operational and information systems but should include all facets of the business operations and information security. Each licensee will have to evaluate the scope of their operation and make sure the security measure is commensurate.
Licensees may conduct the risk assessment in house if they have the expertise, such as qualified cyber security professionally. However, if the assessment is handed off to a third-party service provider, the provider must meet the requirements of this act if they have access to the non-public information. Either way the Information Security Plan (ISP) will be based on the outcome of the assessment. Currently a format for the assessment report is defined and the reports must be kept by the licensee for five years.
Cyber Security Event
A cyber security event as defined by IDSA includes the compromise of unencrypted non-public information. The Department of Insurance expects notification even when law enforcement may restrict notification of the public. To aid in reporting, the Department of Insurance is developing an online reporting system for cybersecurity events which is expected to be completed by September 18, 2018.
More IDSA Info
Signing up for Notifications
The Department of Insurance encourages licensees and third-party service providers to sign up for bulletins and press releases on their website at www.doi.sc.gov . Once on the website, click the button for “Notification Subscriptions”.
The Department of Insurance hopes to have a live webinar/seminar on this topic on September 10, 2018. Updated information on this event will be pushed out through their notification system.
With cyber security becoming increasingly important, businesses and organizations want to ensure their systems and networks are protected from the activities of hackers and phishers looking to steal confidential information. Thanks to penetration tests, which are a form of ethical hacking, businesses and organizations have an amazing tool that can help protect them from the many cyber security threats out there. Now the million-dollar question is, are penetration tests right for every business? Well, depending on the size of your business and requirements, penetration services can be an amazing fit for companies who care about controlling risk in the ever-changing cyberspace.
What is a penetration test?
To put things in retrospect, penetration tests can be referred to as a form of ethical hacking and is meant to probe for weaknesses within systems and networks. While this can be conducted internally or from the internet, you can hire the services of cyber security experts known as ethical hackers or white hat hackers. With these professionals, you can rest assured that your systems and network are exhaustively examined using both automated tools and the latest manual techniques.
Now that you understand what a penetration test is and why you need to employ the services of white hat hackers, the big question is, how do you know when to bring in white hat hackers? When it comes to the information security space, maturity isn’t measured by age. Rather, maturity encapsulates the thought process and sweat that has gone into building a cyber defense (refer to maturity model). Let's look at it this way, at some point in a company's growth, they must have hired (or outsourced) an IT staff and have adopted an information security framework such as CIS or NIST, all of which help to align a company's business objectives with a defensive strategy. Some of the standard practices implemented for defense were regular updates, user management, anti-virus protection, backups, incident response plan and logging. The organization is now looking for a 3rd party independent assessor to help improve the defenses further or achieve compliance.
Reasons for testing
Today, there are a number of reasons why companies hire 3rd party testers to probe their systems and network, but we will focus on the two most important ones. The first is that, the security team wants to level up; therefore, they need some talented good guys playing bad guys to break in and help point out weaknesses. To be honest with you, having a good team test and work collaboratively with the defense, will increase the security posture of an organization to a whole different level. Sometimes all it takes is another expert outside of the organization with a different perspective to see glaring issues, overlooked for years.
Secondly, a 3rd party may be brought in to ensure regulatory compliance. Most well-known regulations, such as HIPAA and PCI, require 3rd party assessments which include both vulnerability scans and penetration tests. After the thorough examinations, attestation and report documents are delivered to key stakeholders (and with any luck, the IT staff are given promotions for doing an impressive job).
In addition to a requirement in some industries, penetration tests are fantastic exercises to develop a cyber security team forged in the fires of real-life adversarial tactics. Mature organizations know, without properly testing the response of a team or the security measures in place, an organization will never know if their program is as hardened as they think.
Find a great team of white hat hackers and let them help you grow organizational security capabilities. If you have any questions about this topic, feel free to reach out to our team for more information.
On July 26, 2018, I attended the seminar about the South Carolina Insurance Data Security Act (IDSA) in Columbia, SC at the Capital Center Conference Room. The event was hosted by the South Carolina Insurance Association and the National Association of Mutual Insurance Companies (NAMIC).
Russ Dubisky, executive director of the SC Insurance Association welcomed everyone for coming and then made a few opening remarks about the seminar. Dubisky introduced the Director of the SC Department of Insurance (DOI) Raymond G. Farmer.
Director Farmer gave a legislative overview of the process that it took to get the IDSA passed as a law. Director Farmer explained that the DOI would be having a webinar in September to better inform the insurance community about the IDSA. Director Farmer advised that he also had representatives from DOI present to answer questions firsthand for the attendees at the end of the seminar.
Alex Hageli, Director of Policy, Research, International for the Property Casualty Insurers Association of America (PCI) spoke briefly about how the South Carolina law would impact data security standards nationally. Hageli explained some of the differences between the New York Data Security Act and the Insurance Data Security Act. Lobbying efforts attempted to get the South Carolina legislature to adopt more of the language included in the New York Data Security Act but failed in the end.
The New York Data Security Act, also known as the SHIELD Act, does not solely focus on the insurance industry but applies to data security for all businesses handling sensitive customer information. In meetings with members of the South Carolina legislature, it became clear that they would not follow the concise language of the New York act.
The Director of Compliance for NAMIC, Geoff Baker, was the next speaker. Baker focused on the language and intent of the Insurance Data Security Act (IDSA). It was clear from Baker’s presentation that numerous areas of the IDSA will require clarification and guidance from the DOI.
Baker stated that compliance with the Insurance Data Security Act (IDSA) will be a continual process for insurance companies to maintain. Insurance companies with 10 or more employees in the State of South Carolina are not exempt. Independent producers and contractors with 10 or more employees must also comply with the requirements of the IDSA.
NPI Definition and Concerns
Under the Insurance Data Security Act (IDSA), the definition of non-public information (NPI) has a broader meaning than what you would generally think of with personal, financial or HIPAA information. NPI additionally includes any business information that if it were disclosed or tampered with “would cause a material adverse impact to the business, operations, or security” of the company.
Why is this definition important? Because if NPI is breached, then it is a reportable cyber security event that would require notification to the DOI. Should a breach only obtain encrypted data without the encryption key to access the NPI information, this would not be considered a reportable cyber security event. Additionally, if the only data taken is non-NPI, then the security event would not need to be reported.
For foreign insurers the notification requirement is triggered if the reportable cyber security event affects the NPI of more than 250 consumers in South Carolina and the event requires the insurer to notify another governmental/regulatory agency (other than SC). Alternatively notification is required if there is reasonable likelihood of material harm to a SC consumer or insurer’s operation with more than 250 SC consumers affected.
Third-Party Service Providers
There was a lot of discussion about third-party service providers (TPSP) and how to ensure that they are compliant with the requires of the Insurance Data Security Act (IDSA). The IDSA states only that the licensee uses due diligence to confirm compliance. Can the TPSP just sign a contractual guarantee of their compliance with the IDSA or does the licensee have to do more? Will licensees have to audit TPSP or terminate contracts or appointments with agencies that are non-compliant? This is an area where the Department of Insurance (DOI) will need to provide further guidance.
Information Security Program
The Insurance Data Security Act (IDSA) clearly requires a written Information Security Program (ISP). You can find specific guidance on drafting the ISP by reviewing the language in the IDSA statute 38-99-20 (D) (2). Your ISP should be driven from the information uncovered during the risk assessment, not done independently. Other issues such as who drafts the ISP or approves the final draft is a little less apparent in the language of the IDSA.
During a Risk Assessment, you should be reviewing network infrastructure cyber security monitoring and controls, current cyber security policies and procedures, non-public information (NPI) governance and retention schedules, software development practices, existing cyber security training, NPI access methodologies, use of NPI, and the utilization of TPSPs. The Risk Assessment will be an important step in the process and should involve a team approach utilizing insight from the CISO, compliance lead, department heads, key user representatives, and cyber security experts.
Additionally, licensee’s need to have a written incident response plan defining a plan to handle cyber-attacks on NPI or the licensee’s information system. This response plan should also include guidance for business operations during disaster recovery.
The Insurance Data Security Act (IDSA) requires oversight of the process by the board of directors (or committee) to develop, implement, and maintain the ISP. An annual written report must be sent to the board defining the results of the Risk Assessment, risk management, TPSPs, testing results, cyber security events and responses, and recommendations for changes.
Where you can find more Information
As you can see the seminar covered a lot of important information and the hosting associations have been working hard to find answers for their members. Geoff Baker from NAMIC was kind enough to send me his slide presentation so that others could review the information in its entirety.
I will cover some of the questions answered by DOI representatives in another blog along with steps to sign up for information on their site. I encourage you to sign up on the DOI’s website to be forwarded bulletins and information about the IDSA. The DOI will be pushing out further guidance and hosting webinars on this topic soon.
Please pass this information along to other people you know in the insurance business. There are still smaller agencies who are unaware of the requirements of this law. Also tap into the resources provided by the NAMIC and the South Carolina Insurance Association. I have provided the links for you.
Co-Founder + Forensic Expert