Insurers Look to Tighten Cybersecurity Before Innovation
Underlying all 2016 trends is perhaps one of the largest focus areas for insurers: data security.
Several high-profile insurance data breaches in 2015, including the Anthem and Premera healthcare hacks, served as a giant wake-up call to the insurance industry — as hackers plucked the personal information of millions of consumers and forced the insurance industry to up the ante on its cybersecurity practices. As insurers explore technologies that collect more data and customer information than ever, they have no choice but to step up, says Gil Bishop, CISO of Amica.
“Ensuring the privacy and confidentiality of customer information in a rapidly evolving mobile insurance marketplace is challenging,” he says. “Issues range from how to sufficiently authenticate the user of a mobile device, to how to effectively provide end-to-end protection for payment and other sensitive transactions. Finding the appropriate balance between usability and security is critical.”
Besides severe effects on reputation and consumer satisfaction, big money is at stake: According to the Ponemon Institute’s Cost of Breach Study from May 2015, a breach can cost upward of $154 per record, and an average $3.79 million in damage overall.
The industry has been active in beginning to tackle the issue: Since the National Association of Insurance Commissioners created the Cybersecurity Taskforce at the end of 2014, recognition of the growing cybersecurity threat to insurers and the need for increased oversight has increased. The Cybersecurity Taskforce adopted 12 cybersecurity principles this year designed to provide guidance to insurers and regulators, and is also evaluating a new draft of a Cybersecurity Bill of Rights that specifies the rights of insurance consumers.
Insurers have realized that not only do they have a responsibility to monitor its activities, but they need to make sure that basic housekeeping is being carried out, says Steve Durbin, a former Gartner analyst and managing director of the Information Security Forum. “You may not be able to detect the malware, but you should be able to spot unusual activity, you may not be able to protect every piece of data, but you should have implemented encryption.”
In a state filled with banks and insurers, it’s no surprise that New York regulators are currently considering a variety of cybersecurity requirements for banks and insurers. In a letter to other regulators, New York financial services superintendent Anthony Albanese said his agency has surveyed more than 150 banks and 43 insurers since 2013 and have concluded that “robust regulation” is needed.
On the other side of the coin, Durbin says there is the risk of becoming so focused on compliance that resilience and monitoring a rapidly emerging and evolving threat landscape gets lost in the mix. “Regulations are, by their very nature, retrospective in their context,” he explains, “whereas in cyberspace we need to be constantly looking forward and anticipating challenges through increased co-operation, increased sharing of intelligence and sound risk management.”
The good news is, insurers are in a unique position to address cybersecurity, according to James Ruotolo, director of products and marketing for security intelligence solutions at SAS, as many are beginning to offer cybersecurity coverage or see claims related to data breaches on business interruption, directors and officers or liability policies. “This can give insurers a unique perspective and the ability to see trends and patterns emerge,” he says. “While they certainly need to secure their own organizations, insurers have an important risk management and loss control role to play in addressing cybersecurity.”
There is no doubt, however, that there will be a similar spate of breaches announced in the coming year, especially since many of these crimes occur months before the discovery or announcement, often by a third party, says Mitch Wein, VP of research and consulting at Novarica. “There is always a lag time between the breach and the detection and response,” he explains. “The idea is to shorten this time period since it can never be eliminated fully.” Many insurers have not yet fully deployed the comprehensive NIST Security framework which would reduce the time from breach to detection and response, he adds.
But, according to the Novarica IT Security 2016 Update, 10-20% of insurers are planning to evaluate and pilot these security frameworks in 2016, says Wein. And budgets are blooming: According to Novarica’s US Insurer IT Budgets and Projects 2016, a survey of 104 insurers indicated that about 10% of their 2016 budget would be going to security, including hardware, software, and processes related to security including firewalls, intrusion detection, encryption, framework adoption, and audits.
And risks of breaches are not affecting the insurance industry’s willingness to innovate, adds Wein.
“Insurers are innovating more, not less,” he says, including moving to digital, data-driven initiatives including collecting data from IoT-enabled devices and sensors, and mobile enablement of key processes: “The risk to insurers is increasing as they become more dependent on technology, however, they must innovate to survive,” he says.