How Insurers Can Stay Secure While Transforming the Way They Do Business

September 3, 2020 Alex Cowperthwaite

Insurance companies are cautious when adapting to change. Why? Tried and true legacy processes and systems underpin a complex and abstruse industry, and there are significant barriers to entry including enormous capital requirements; the need to possess decades worth of actuarial data; and a challenging state-by-state compliance regime. However, smaller, more agile InsureTech startups are driving innovation, causing traditional brokers and carriers to more rapidly leverage technology that will improve customer experience. There is also a push to develop innovative products and services, including dynamically priced “pay-as-you-drive” auto safety monitoring, drones that survey property damage after a major catastrophe, IoT devices that evaluate risk for dental and life insurance, and home insurance discounts for installing smart home devices. The landscape is changing rapidly, and insurance companies are starting to change with it.

Digital transformation is at the heart of the changing landscape in the insurance space, offering smoother, faster ways for insurance companies to interact with customers and modernize underwriting, policy administration, billing, and other core processes. However, insurers need to consider the security implications of their plans for innovative and more efficient business models. The stakes are undoubtedly high given the valuable and highly confidential information insurance companies possess and the complex regulatory landscape within which they operate. But, by adopting modern cloud technologies and forming partnerships with experienced cloud security experts, insurance companies can achieve rapid digital transformation with confidence.

Frameworks for digital transformation in insurance

There are two levels at which digital transformation is happening in the insurance industry. At one level, digital transformation is changing how insurance companies interact with customers, making it easier than ever to assess needs, provide insights, and sell products. At another level, digital transformation is changing how insurance companies collect and analyze data, which gets to the heart of actuarial science, risk analysis, and pricing. These dynamics are interrelated from a technology perspective: access to secure, cloud-based services are crucial to both.

Transforming how customers interact and communicate with a broker or carrier often manifests in mobile apps and web portals that allow customers to provide information to facilitate risk assessment, compare quotes, purchase new insurance products and add-ons, renew policies, and access detailed information about in force policies. In some cases these interfaces also offer enhanced customer service options like live chat. This kind of digital transformation is further ahead on the business-to-consumer side for products such as auto, home, and life. Companies like Cover Wallet (which was acquired by Aon) and Huckleberry are driving similar innovations on the B2B side.

Cloud technologies form the backbone of the environment that supports customer-facing digital transformation. When building web applications and mobile apps, cloud technologies speed up design, implementation, prototyping, and release of digital services. They make the creation of smooth, appealing, and professional products significantly faster and easier than building them on top of dated and highly fragmented internal infrastructure.

Important opportunities for digital transformation also exist for back-office processes. To create and sell products, carriers need on-demand access to massive amounts of data – either their own stores, or stores of data available through partnerships with other businesses. Digital transformation facilitates expanded use of larger and more diffuse data sources, big data techniques, and machine learning, with the goal of getting faster, clearer pictures of risk that allow carriers to use highly specific models to offer customized products and pricing on the fly.  

This back-office transformation has progressed slower than the transformation of customer interaction because of the complexity of the solutions. However, as smaller and nimbler InsureTech firms disrupt the market, it’s clear that players of all sizes will need to accelerate back-office transformation if they want to keep up.

Security stakes in the insurance sector

The security stakes are high for digital transformation in insurance: transacting electronically with employees, customers, and suppliers while safeguarding the confidentiality and integrity of those transactions becomes more challenging as transformation incorporates almost every process and makes sensitive data readily accessible, both internal and externally.

Data breaches are expensive, especially in the financial services space. According to the 2019 Cost of a Data Breach report from IBM and the Ponemon Institute, the average cost of a breach for a financial services company is US$5.86 million. A broad range of attackers are targeting the insurance sector, but nine out of ten insurance industry data breaches are financially motivated. That is not surprising given the Ponemon report’s finding that the average price of a hacked record stolen from a financial services company fetches US$210, second only to healthcare.

In addition to financially motivated attackers, insurance companies are also attractive targets for state-sponsored actors. One of the largest insurance company incidents in history — the Anthem breach — puts that in stark relief. Anthem’s breach, like Equifax, Marriott, and the Office of Personnel Management, was attributed to Chinese hackers who, with access to both Anthem and OPM data, were able to compare the datasets to produce better intelligence about valuable American intelligence operatives.

The regulatory framework in the insurance sector has always been complex, with rules governing the industry set primarily at the state level. But, the regulatory stakes get higher every day as states begin to reflect rising consumer concerns about data privacy in new laws that embody the Insurance Data Security Model Law, which was drafted starting in 2016 and adopted in 2017 by the National Association of Insurance Commissioners in response to major data breaches. 

Insurance companies that do business in New York are also subject to the NYDFS Cybersecurity Regulation, which came into effect in March 2017, though it has never been more relevant than it is right now. On July 22, the NYDFS filed its first action alleging that First American Title Insurance Company failed to properly safeguard mortgage documents. This particular case has broad importance to the insurance industry because Nebraska’s insurance regulators had already found First American’s incident response to be sufficient. The precedent is now set: not only is the NYDFS setting a higher bar for compliance, they have also now demonstrated a willingness to enforce their version of the rules even when other regulators have already acted.

Secure cloud technologies mitigate risk

Fortunately for insurers, cloud computing not only makes digital transformation smoother but also offers security advantages. Modern cloud services integrate security features that can help insurers reduce the risk of a data breach and remain compliant with increasingly stringent regulations.

Password-based authentication has always been an issue for internet-facing applications, even before the transition to the cloud. While cloud deployments may ultimately expose more applications to the public internet, leveraging user management services can help ensure strong authentication is consistently deployed. With respect to access control, Identity and Access Management (IAM) policies available with cloud services offer more granular access control than on platforms used for on-premises infrastructure. Though these can be complex to learn, it is worth it for development, operations, and security teams to take the time to learn how to use them correctly. A trusted partner can help validate that transformed applications leverage all the identity security features that the cloud provides, leading to a more secure environment.

From a data security perspective, especially in the insurance sector where companies must retain and analyze so much personally identifiable information and sensitive financial data, management of encryption keys can be a challenge. Compliance with data security regulations requires data to be encrypted in transit and at rest, but encryption is only meaningful if the associated encryption keys are generated, stored, and tracked in a secure manner. Fortunately, dedicated cloud services such as Hardware Security Modules (HSM) and Key Management Solutions (KMS) make it easier to manage encryption, since they allow encryption throughout the environment to be centrally bootstrapped. Choosing the right HSM or KMS as a trust anchor for data security can be complex, but if done thoughtfully during the architecture phase of a cloud deployment, it can streamline encryption management.

In addition to data encryption, insurance companies also have to plan carefully around data residency. After all, given the complex regulatory framework to which insurers are subject, tracking where data resides allows an insurer to determine what regulations apply to which data, and what security measures need to be taken in order to comply with those regulations. Fortunately, both public and private cloud solutions offer centralized approaches to managing and tracking where data is stored, which can help insurers streamline data governance as the business scales. 

How a trusted partner can help

The security features of modern cloud services have the potential to lighten the security burden of digital transformation and cloud migration. However, it isn’t easy to use these services correctly, and many companies don’t yet have the expertise and experience on staff to architect a secure cloud solution and validate that the intended security controls are working. It’s possible to transform faster and with even more confidence by teaming up with a trusted partner that has deep experience with designing and securing cloud solutions.

When engaging a partner to help design secure cloud infrastructure, it’s important to begin collaborating as early as possible in the planning stage, before design work begins.  Evaluating cloud security architecture partners from the beginning gives insurers a chance to determine whether a partner is a good fit for the culture of the company; whether the partner will integrate well with the team and be able to incorporate a real understanding of the company’s business goals into its work. Once an insurer has determined that a partner’s approach integrates well with their digital transformation goals, it’s easier to work seamlessly with this partner to achieve a design that will satisfy functionality and security objectives. The right partner can help ensure that security is an explicit design requirement, thus accelerating the design, build, and scaling of secure solutions that are fit for purpose.

It’s also beneficial to engage a partner during the development and testing phase of cloud implementation for penetration testing and security verification. When choosing a security testing partner, consider both their relevant experience and the breadth of their security testing approach. Choosing a security testing partner that knows how to develop and integrate an enterprise penetration testing program that fits with the business objectives of a digital transformation program ensures security assessment and remediation can be executed at a pace that’s consistent with business expectations.

From accessing and analyzing the data necessary to make smart actuarial decisions all the way to providing insurance services to customers, cloud technologies support and accelerate digital transformation, allowing insurers to operate more efficiently, and making business more rewarding for both the company and their consumers.

Considering security from the outset makes it more likely that digital transformation will succeed. To continue learning about how to integrate security with your company’s digital transformation, download the Security Compass Cloud Security Guide today. This free e-book discusses in detail how to plan, design, and configure cloud services so you can reach your digital transformation goals securely.

Previous Article
How Secure Is Canada’s COVID Alert App? Evaluation of Android App v1.0.3
How Secure Is Canada’s COVID Alert App? Evaluation of Android App v1.0.3

Our consulting team performed an evaluation of the Android version of Canada’s COVID alert app to evaluate ...

Next Article
What You Need to Know About Enterprise Penetration Testing in AWS
What You Need to Know About Enterprise Penetration Testing in AWS

As more organizations adopt AWS services, penetration testing is critical for designing, securing, reviewin...

Find out how our solution builds security and compliance into software.

Get a Free Demo