Insurance providers, tackle cybersecurity breaches with confidence

Our first advice was to document the breach in writing with the help of the firm’s IT team. Beyond record retention – which is an obligation in its own right – documenting the breach is essential for determining the scope and impact of the cybersecurity incident.

A record of a breach should contain at least the essential information that the firm will need to submit to the ICO where the breach is reportable (see step 2). This includes:

• A description of the nature of the data breach and its timeline if applicable
• A description or estimate of the categories of personal data being subject to the breach
• A description of the number of data subjects affected by the breach
• A list of the individuals associated with the breach (e.g. data protection officers, IT engineers)
• The impacts of the breach and the likelihood thereof
• Any existing controls or measures taken immediately in response to the breach (e.g. password change, disaster recovery plan)
• The obligation to report to any regulatory bodies, if any

This process is likely to be easier if the organisation has maintained a comprehensive register of processing activities, in which business processes, data owners, departments with granted access, and types of data and data subjects are identified.

Further to devising a record of the breach, we worked with our client to establish a communication plan addressed to the affected data subjects, including its customers. The communication plan is critical for the following reasons:

• Complying with the firm’s legal obligations under the EU’s General Data Protection Regulation (GDPR) and the UK’s Data Protection Act (DPA) – in particular, the principle of accountability
• Preventing further harm being caused to or sustained by the individuals whose data was stolen
• Potentially minimising the degree of reputational damage caused to the firm if the breach was not acknowledged

In response to a personal data breach, firms are expected to undertake a risk assessment of the likely impacts on the affected individuals. A risk-based approach is essential as it will inform the organisation’s remediation plan.

Under Article 33 of the GDPR, organisations must report a personal data breach to the ICO “without undue delay” and, where feasible, no later than 72 hours after becoming aware of the breach where the latter is likely to result in a risk to the rights and freedoms of any natural persons.

A risk to the rights and freedoms is broadly defined by Recital 75 as any utilisation of personal data that could cause any physical, material or non-material damages or losses to an individual. In the presented case, the leakage of passport and policy cover details exposed the firm’s clients to identity theft, fraud and the disclosure of special categories of personal data (i.e. medical history).

Consequently, a notification to the ICO was inevitable. We advised our client on drafting the initial standardised notification form and on subsequent correspondence with the ICO.

Similar to many organisations, our client was initially wary of providing details to the ICO in their notification form. The key during this phase is to remember that the ICO does not take enforcement actions against firms for having sustained data breaches unless the incident was caused by a material deficiency on the organisation’s part.

In the case of our client, the ICO provided constructive recommendations to enhance the firm’s cybersecurity controls.

Article 34(1) of the GDPR requires organisations to notify affected data subjects where the breach is likely to result in a high risk to the rights and freedoms of natural persons. A ‘high risk’ will likely cause greater impact to data subjects, e.g. access to special categories of personal data resulting in discrimination, enabling individuals to be located or tracked, and/or disclosing data about vulnerable persons.

An argument in favour of such a communication would highlight the fact that special categories of personal data such as medical information may have been leaked to the dark web.

Note, however, that such a communication need not be one-to-one with the data subject where any of the following conditions are met (Article 34(3)):

• The firm maintains appropriate technical and organisational measures that cover the type of personal data affected by the breach (e.g. encryption at rest or during transit)
• The firm has taken remediation or mitigating measures to ensure that the identified risks are no longer likely to materialise
• It would take a disproportionate effort for the firm to separately notify each data subject affected by the breach

IQ-EQ and the insurance distributor came to the conclusion that the most sensible approach would be to release a communication to its customers, alerting them that they may receive in the upcoming days or weeks phishing emails or otherwise fraudulent inquiries.

UK-regulated firms are required to notify the Financial Conduct Authority (FCA) for various categories of events, as set out in Chapter 15 of the Supervision Sourcebook. For instance, SUP 15.3.1R requires notifications to be made where an event will lead to:

• The firm being no longer able to satisfy its threshold conditions
• Significant reputational damage to the firm
• Significant disruption to the services provided to its customers
• Negative impact on the firm’s ability to treat its customers fairly
• Negative impact on the firm’s ability to meet its capital adequacy requirements
• Significant failure of the firm’s systems and controls
• The firm breaching or contravening any of its regulatory obligations
• The disclosure or dissemination of market-sensitive information
• Significant harm to the wider UK financial system

Depending on the type of data breach, a notification may be required for one or more of the grounds listed above. In our case, the most applicable grounds were the negative impact on customers and the firm’s ability to abide by the treating customers fairly (TCF) framework.

IQ-EQ worked with the insurance distributor to draft and submit the initial SUP 15 form to the FCA. However, given the ‘contained’ scale of the breach, no follow-ups were received by the regulator.

As part of our consulting services, we advised our client on the following tasks to ensure that the likelihood of such a disruptive event occurring in the future is minimised:

Training and culture – It will be no surprise to anyone that most data breach incidents occur despite a firm implementing the most stringent cybersecurity controls. The 2020 ‘Psychology of Human Error’ study conducted by Tessian found that 88% of data breaches are caused by staff mistakes. The study cites that the top reasons phishing emails are clicked relate to the fact these messages purport to be sent from internal addresses or from reputable brands. Therefore, periodic training and staff-focused cybersecurity tests are a good way to ensure the firm is committed to a strong security culture. IQ-EQ delivers online and live training sessions on data protection and cybersecurity controls.

Record retention – We advised our client on building and maintaining a comprehensive record retention system in relation to data security. In the event of a breach or a data subject access request, organisations struggle the most when there is no up-to-date record of processing activities. IQ-EQ assisted the firm in identifying the various business procedures where personal data was processed, the purpose of those procedures, the types and categories of personal data and data subjects, and assigning those purposes to individuals and departments to establish accountability. We were then able to produce a report assessing the risks deriving from the various processing of personal data and their disclosure to internal and third parties. Based on our findings, IQ-EQ advised the client to assess the effectiveness of its current data security controls.

Controls and access restrictions – Insurance companies are critically exposed to cybersecurity attacks due to the wealth of personal data they process on behalf of their clients, ranging from health records to financial information. Insurance Business Magazine reported on 12 June 2023 that recent attacks had become increasingly more damaging, specifically targeting the insurance industry. We worked with our client to implement basic but important mitigating measures such as:

• Segregation of work-related data/prohibition of using personal devices for work
• Consistent document naming and filing system to spot unusual activities or suspicious files
• Redacting sensitive information such as special categories of personal data
• Maintaining up-to-date access controls for current and former staff
• Ensuring departing employees return all devices, information and equipment
• Periodic training and assessments (as discussed above)
• Monthly cybersecurity testing (e.g. DDoS attacks, penetration tests)
• Annual data protection compliance testing (as part of the compliance monitoring review)