Login Register Subscribe
Current Issue

AIG unit leads Anthem's cyber coverage

Reprints

An American International Group Inc. unit is the primary cyber insurer for Anthem Inc., which this week disclosed a massive data breach affecting about 80 million customers and employees, insurance market sources say.

Anthem, the nation's second largest health insurer, has $10 million in primary cyber coverage above a $10 million self-retention with Lexington Insurance Co. Overall, Anthem has $150 million to $200 million in cyber coverage, including excess layers, sources say.

Insurers providing excess layers of cyber coverage include: Lloyd's of London syndicates; operating units of Liberty Mutual Holding Co.; Zurich Insurance Group; and CNA Financial Corp., sources say. AIG and CNA could not be reached for comment on Friday. Spokesmen for Liberty Mutual and Zurich had no comment. Willis North America Inc. placed the cyber coverage, sources say. Willis could not be immediately reached for comment.

On Friday, Anthem warned its clients to be aware of scam email campaigns targeting current and former Anthem customers that are designed to capture personal information in a so-called web “phishing” attack. The health insurer warned them to not click on any email links in such emails. Also, Anthem said it is neither calling customers regarding the cyber attack, nor asking them for credit-card or Social Security information.

Meanwhile, the National Association of Insurance Commissioners has called for a multi-state examination of Anthem and its insurance affiliates.

“Since the news broke, regulators have been working together and have been in discussion with Anthem executives,” Monica Lindeen, NAIC President and Montana Commissioner of Securities and Insurance, said in a statement. “We are in agreement that an immediate and comprehensive review of the company's security must be a priority to ensure protection of consumers who are covered by Anthem.”

The NAIC said in its statement that it expects all U.S. states and territories will participate in the review of Anthem's operations. The NAIC said states with significant Anthem business – Indiana, California, Missouri, Maine and New Hampshire – are expected to take the lead in the wide-ranging examination.

California Insurance Commissioner Dave Jones said in a separate statement, “The goal of this national multi-state examination should be to determine what areas of vulnerability exist in Anthem's data systems, what additional strategies and protections could have been employed to prevent losses and whether the insurer has taken the appropriate steps in response to the breach. The Anthem breach underscores that it is critical that companies continually evaluate and upgrade their protection for consumer data.”

Anthem CEO Joseph R. Swedish announced late Wednesday that the health insurer was the target of a “very sophisticated external cyber-attack.” Stolen was personal information of current and former customers, including their names, birthdays, medical identification and Social Security numbers, street addresses, email addresses and employment information, including income data, the company said.

The announcement said so far there is no evidence credit-card or medical information, such as claims, test results or diagnostic codes, were targeted or compromised.

The company, which sells Blue Cross Blue Shield health plans, said it is cooperating with an investigation by the FBI. Separately, it has hired Mandiant, an Alexandria, Virginia-based cyber security firm, to evaluate the company's computer systems and “identify solutions based on the evolving landscape.”

Also, Anthem said it plans to contact current and former customers via mail delivered by the U.S. Postal Service with information on how to enroll in credit monitoring.

Attorneys general for Massachusetts and Connecticut announced they plan their own investigations of the Anthem breach, while Indiana Attorney General Greg Zoeller is monitoring the situation.