As the insurance industry changes in response to continued digitalization, IT leaders have significant challenges: keeping up with rapidly changing technology, meeting business needs for faster speed to market, creating engaging customer and agent digital experiences, and enabling analytics to improve products and operations. Of course, these digital processes must be fully secure to retain the trust of agents and insureds, and to protect the company (and its board members) against liability.
As digital processes continue to evolve, security remains one of the top priorities for IT executives. The following are some of the main technology areas that comprise IT Security:
- INTRUSION DETECTION. Protecting against intrusion is one of the most basic elements of IT security, and detecting intrusion is critical in ensuring a rapid response. An intrusion detection system (IDS) is generally defined as a device or application that monitors a network/system for violations/inappropriate activity and transmits reports to a management station. An IDS can be network-based (NIDS) or host-based (HIDS). Examples of intrusion could include a spike in network traffic, attempted access to firewalls, or packets with signatures indicating malicious software. According to Novarica research, about three quarters of insurers are planning to continue to enhance their capabilities in this area.
- APPLICATION SECURITY. Like intrusion detection, application security is a mature area for insurers, but one that needs continual investment in order to stay current against evolving threats. Larger insurers are slightly more likely to be investing aggressively in continuing to improve this area than smaller insurers.
- DATA ENCRYPTION. Surprisingly, data encryption is not completely ubiquitous within the insurance industry. About half of insurers are planning to enhance their data encryption capabilities, and many smaller insurers are looking to launch data encryption for the first time in 2016.
- DEVICE SECURITY. As corporate-owned and corporate-accessible devices (laptops, tablets, smartphones) proliferate in support of ease-of-doing-business initiatives and productivity enhancements, they create their own set of security threats. Any device used to access systems can contain viruses, malware, and keyboard capture Trojans to communicate proprietary data and passwords to third parties looking to gain access to systems or capture personal information. The latest virus signatures, scanning, and drive encryption software needs to be installed on devices and kept up to date as the threats evolve. Large insurers especially are devoting attention to this area.
However, IT security is as much a matter of practices and monitoring as it is of technology. In fact, from a CIO resource perspective, audits and procedures are often more expensive than technology. Processes need to be created to evaluate all aspects of security management and determine the process maturity. These processes must be independently validated through a combination of sampling, gathering statistics from tools, and discussions with people responsible for those procedures. More than half of insurers are investing in enhancing their existing audits and procedures in the coming year.
Another trend we’re seeing for 2016 is the adoption of formal frameworks like NIST and SSE-CMM. These frameworks provide reasonable assurance of secure application development. The organization must ensure that the software it builds or that is built on its behalf is secure and does not open up a security exposure. One good way to determine if the process of software development creates secure applications is to look at the security maturity of that process. The SSE-CMM is the way to assess this, but it does not go far enough. A full risk management framework needs to be applied to the firm to augment its other operational risk assessments. The NIST framework, developed in 2014, is becoming the standard for all insurers to assess digital and operational security risks in a structured way and to develop a roadmap to improve their cyber-security practices.
For insurers, cyber security was not a big issue 5 to 10 years ago. Yet it has become one because of increasing digitization. Insurers who are developing their IT Security strategies should start by listing their business criteria and getting signoff from business leaders up to the COO and heads of the business areas. Then they should map the investment and priority sequence. Different insurers will have different needs. For example, if the company is in the direct business, having secure websites and mobile apps is critical. If someone breaks in and steals customer information, the company’s reputation will be harmed. However, the threat matrix may be greater if the company is managing large amounts of money in an annuity or a wealth management portfolio. In addition, regulatory requirements around health data are much more stringent and complex than for other types of data.
Most large insurers have a mature IT security function, with a dedicated organization led by a Chief Information Security Officer. But for smaller companies, committing resources and building competency in this area can be challenging. However, size is no excuse. In 2016 and beyond, all insurers must be certain that they understand their challenges and options, prioritize their investments, and plan their responses to security incidents.
Mitch Wein is a vice president of research and consulting at Novarica, an advisory firm that helps more than 80 insurers make better decisions about technology projects and strategies. He can be reached directly at
