Are TPA legacy technology infrastructures placing your data at risk?
Since 2015 there has been an increasing risk to entities in the insurance industry. 2019 saw a 131% increase in cyber attacks over 2018 and 2020 into 2021 continues to set the stage for what are increasingly more aggressive and high profile attacks. The insurance industry has become a clear target and the experts (including victims of cyber attacks themselves) agree, it is only going to continue. Last year alone, organizations from CNA Financial, Corp. to Chubb and Marsh McLennan fell victim to ransomware attacks or data breaches that result in potential theft of client and/or internal data. Why should this be of concern for you as an employer? Because their vulnerabilities place your data and program performance at risk.
Why The Focus on Insurance and Claim Entities?
There are several reasons why insurance companies, brokers, and third party administrators have become the leading target for cyber-attacks outside of healthcare. Everything from increased accessibility from third party vendors to the sheer volume of data records they are able to access. Just to highlight few reasons:
They Have The Data
Got data? The answer to that is resonating through the cyber-crime world and it is what has made them a target. The two most highly sought after and exposed pieces of data across all industries are Social Security Numbers and Protected Health Information (PHI). In the past targeting financial and/or retail institutions provided access to one of these while Healthcare entities offered the other. But since 2018 there seems to have been the realization in the world of cyber criminals that insurance entities, especially claim management entities can often provide both of these highly valuable pieces of data in one place.
Quantity and Quality for the Win
Whereas a single entity can provide for a fun score for these criminals, imagine the rush from hitting a server that has data for multiple organizations! It’s a treasure chest of data and comparable to healthcare for ransomware perpetrators, they also know that access to this data is essential for the company to perform. They recognize that these entities have hundreds to thousands of clients that can be impacted. For each of those, they know their could be hundreds to thousands of individual records and vital data. Without access to which their world is at a standstill, and their clients would not be pleased, so in many cases they rely on this as those clients are more than willing to pay. It is estimated that the average ransom begins at $250,000 and is projected to easily escalate into seven figure ransoms by the end of 2021. However, even for entities that pay, often this is just the beginning.
There is one very important commonality across these new targets, legacy technology infrastructures. The technology debt faced by these long standing TPAs, Carriers and Brokers continue to be an anchor against their ability to effectively secure your data and their own. In the last twelve (12) months alone Chubb, Sedgwick, Gallagher Bassett, Arthur J. Gallagher, Marsh McLennan and CNA Financial, Corp. have all fallen victim to either ransomware attacks or data breaches. CNA’s incident cost a reported $40 million! Legacy infrastructures are ripe for instruction but until now, there has been little monetary incentive for them to overhaul their infrastructure to effectively deter attacks and secure data. Additionally, these entities work with various third party vendors over which they have limited or no control of their security. In a world where third party / subcontractor breaches can release four (4) times the number of exposed records, that is not an acceptable risk.
The Impacts are Significant
Employers and organizations that outsource their claim handling historically have been completely dependent on their administrators to be responsible for their data security. However, in events of breaches or lockouts, the burden is shared by all. System lockdowns resulting from ransomeware can delay injured worker treatment, prescription fulfillment and impact care in emergent situations. In the healthcare space, 2020 claimed the first reported death due to a ransomware attack at a hospital in Germany where the patient records were locked and unaccessible.
For us here in the claims world, delayed bill processing results in rapidly accumulating penalties on top of the administrative burden and associated costs of required notifications and data breach compliance. With experts predicting an increase in targeted ransomware attacks and related outages, and a projected $9 billion cost to industry by the end of 2021, data security has move to the forefront in the minds of risk managers around the globe. Much like the return to employer’s increased involvement to proactively managing their claim programs, more and more are looking at solutions on how to ensure the security of their data.
It’s Your Data. Protect It.
Producers and industry professionals will speak to the importance of cyber security insurance policies, making sure you have appropriate coverages accompanies by strong policies and procedures. That is true and we agree, but that does not help when you are not in control of the system, policies or infrastructures that are placing your data at risk in the first place.
As the employer, especially in a self-insured and/or high deductible program, this is your data and like your employees, it should ultimately be your responsibility to protect it. Employers are generally not claim experts and are not looking to take on setting up a claims shop next door to their sales or customer service departments. It is neither a desirable or economically feasible situation to do so for the majority of employers. Recognizing that the industry needed a modern solution to deal with today’s claims and security issues.
Your Claim. Your Data. Your Control.
The largest employer in the country has the breadth and bandwidth to manage their claims both internally and via TPAs throughout the country. However, where they differ is their TPA’s utilize their platform to adjudicate their claims. This allows them complete insight into their data and control over their technology and security. Unfortunately, despite the desire to do so, most organizations did not have the ability or expertise to implement such a program. Until now.
ASG introduced ASGARD-T.C.P (Transferable Claims Platform) as the employer’s solution to taking control and securing their data while increasing program controls regardless of who your claims administrator is.
Providing employers with centralized communications and data flow through a ASGARD’s secure platform for vendor and claim data. Employers are able to have complete insight into program performance, analytics and increase transparency with the complete confidence that their data is secure. ASGARD’s backup compliance mode ensures data loss is impossible and its data encryption and key spaces are unique to your organization and your data is always secure, even when not in use (at rest).
What To Do?
As the world and technology continues to evolve and cyber-criminals become more and more sophisticated, the question becomes why are you trusting yesterday’s technology to protect your data today. ASG provides a comprehensive and complete solution for employers who want to proactively protect and manage their programs. From a completely biased perspective, we would love to show you what we can do for your program and data security. However, even if ASG is not the solution for you, as claim professionals in this targeted industry, the recommendation would be to have the tough conversation with your claim administrators. Make sure your security professionals are confident with their actual infrastructure, not just their new database or system, but what that system is running on, because a flashy database running on a vulnerable server or poorly configured network, with connections to vulnerable systems is still a liability.