The U.S. Supreme Court’s June overturning of the 1973 Roe v. Wade decision protecting women’s constitutional right to an abortion has brought with it reports of growing digital privacy concerns.
Most of the concerns center on individuals’ collected data due to things like location tracking, text messages, search histories and emails, as well as period and ovulation-tracking apps. But concerns have also been raised around how big tech and insurance companies, including insurance tech providers, are safeguarding personal data and rethinking their own cybersecurity in the process.
“If you are a person who works with abortion providers right now in the United States, then you are aware that their data is under attack,” said Eva Galperin, director of cybersecurity for nonprofit The Electronic Frontier Foundation, on this episode of The Insuring Cyber Podcast. “So, the threat to them is extremely real, and they have been taking it seriously for a very long time. And I don’t expect that threat is going to be lessened anytime soon. In fact, I think it’s much more likely that things are about to get much, much worse.”
Dan Burke, national cyber practice leader at insurance brokerage and consulting firm Woodruff Sawyer, said earlier in this episode that although an increase in cyber threats against healthcare facilities and insurers has not yet been seen, public attention regarding the overturning of Roe v. Wade could incentivize attackers.
“It’s very easy to see it is generating a lot of attention and a lot of headlines,” he said. “And when that happens, we tend to see an increase in attacks on companies that are caught up in that media narrative.”
Galperin said that with this in mind, it’s important for companies—whether it’s healthcare providers, insurers or tech companies—to be thinking several steps ahead about their cybersecurity.
“The reason for that is because companies are a big ship, and turning the ship around is a slow process,” she said. “You cannot change everything about the way that your platform works or your product works tomorrow in response to new restrictions or new demands for user data. What you need to do is you need to look at the existing law and you need to look at what kind of laws are being proposed right now.”
Burke added that renewed concerns around digital privacy will likely give insurers more opportunities to consider the potential for penalties associated with data privacy law non-compliance.
“It certainly is an opportunity,” he said. “I do think it is another example of this wave of privacy regulation really impacting what’s going to happen in cyber insurance in the future.”
Although the future of the cyber insurance industry remains to be seen, he said the steps cyber insurers have taken in the past to advocate for digital privacy are paying off.
— Dan Burke
However, Burke believes cyber insurance underwriting around digital privacy risk still has a long way to go.
“So much of cyber insurance underwriting today is focused on security controls and the ways in which companies can improve their security posture to prevent an attack from ever happening, and yet little underwriting is truly dedicated to what I think are some of these very significant digital privacy concerns,” he said. “The carriers in my mind have overindexed toward security controls because it’s tangible. It’s something they can easily judge companies on.”
He said underwriting digital privacy requires a different lens in which insurers differentiate strong controls versus weak controls and use that as a method to risk select which companies are better controlled than others.
“I’m not sure all cyber insurance carriers have really gotten their arms around that yet,” he said.
Although the cyber insurance industry has been advocating for the importance of things like multifactor authentication, endpoint detection and response tools, and strong backup policies and procedures, he added it’s important that insurers practice what they preach.
— Eva Galperin
“It’s not lost on me that insurance companies don’t always take the medicine that they’re prescribing to others, so there are a number of things where I think the insurance companies could be better,” he said. “Certainly for healthcare insurance companies, they do have a lot of that data. It is very sensitive. A lot of health insurers are really consumer-facing companies, and the biggest risk for any consumer-facing company when it comes to a cyber attack is the reputational damage that they’re going to be subject to as a result.”
That said, Galperin challenged the insurance industry to go a step further and think beyond the reputational harm that could result from cyber threats or data privacy law non-compliance and prioritize minimizing risk for consumers first.
“It is not uncommon for insurance to essentially err on the side of caution, and in this particular case, I would like them to rethink what caution looks like—whose risk you’re trying to minimize. Because very often, the insurance industry is trying to minimize the risk to the insurer. I would really like for them to reframe it as minimizing risk to their clients,” she said. “I think that insurance companies and the makers of these platforms and apps are probably under incredible, tremendous pressure to protect themselves first and foremost, and I think that is profoundly misguided.”
Be sure to check back Aug. 17 for Part 2 of this two-episode series where The Insuring Cyber Podcast will continue this conversation with Aaron Tantleff, partner at law firm Foley & Lardner, and stay tuned for new episodes of this podcast publishing every other Wednesday along with the Insuring Cyber newsletter. Thanks for listening.