It's hard to go anywhere today without hearing and seeing stories about fraud. Whether it's credit card hacking, stolen passwords for social media sites or something else, the message is clear: Fraud is a big business with very real financial consequences. Insurance carriers may have seen less of this than banks and card processors, but it doesn't mean they're immune. They just have been lucky, since there are other more lucrative targets for the bad guys to pursue.
Luck is, of course, not a strategy and carriers need to give more thought and investment to preventing fraud. But the reality is that fraud for an insurance carrier may be somewhat different than in other parts of financial services.
What does this mean for CIOs? Careful planning. Understanding the issues can help reduce the potential for adverse impact and unwanted media attention.
With insurance products, fraud takes on different characteristics depending on the product type, the nature of the underwriting process and the frequency of transactional activity. For heavily underwritten offerings such as life insurance, fraud is hardly new. It may be more sophisticated now, but generally speaking, the pursuit of life coverage is not attractive, especially for someone looking to make a fast buck.
CARRIERS SIT ON A GOLDMINE OF PERSONAL DATA
A more realistic issue carriers face is the protection and management of personal financial data. Ensuring that information is protected internally, and during transmissions with vendors, is critical. The loss of this data to fraudsters would create a financial and reputational nightmare for carriers. For many, the big threat may be walking around inside the company on two legs. Locking down end points, implementing data-loss protection programs and monitoring network traffic are all critical. Banks have been aggressively dealing with this, moving to encrypt data that is both at rest and in flight.
Life and annuity carriers are getting more aggressive about monitoring and auditing access rights as well. As the Edward Snowden case at the National Security Agency (NSA) highlighted, ensuring that the access granted to individuals is commensurate with the job responsibilities is critical. The NSA case also highlights the challenge when work is transitioned from employees to consultants, who may be transitory, even while working within the same organization. Ensuring consultants' access rights aren't gradually collecting more and more capabilities, with no one paying attention, is crucial. Whether through carelessness, sloppiness or a lack of attention to detail, excessive access to data and systems can have real and painful consequences.
The more companies use consultants and outsourcing, the more transient the labor force becomes, exacerbating these issues. The bottom line is that aging security infrastructure and legacy admin systems weren't architected to address the current level of threat.
Fraud also comes from claims processing, and carriers need to be more mindful of the potential for loss here. P&C carriers are more aggressively using big data to check for patterns and anomalies, as well as social media checks. While claims frequency is lower with life and annuity products, it still exists. Individual disability insurance products are similar to workers' compensation, so it is worth the effort for CIOs and their teams to look beyond their immediate experience to get a view of both impending problems and workable solutions.
Many carriers are diligent about transaction processing and the order in which things are done, such as restricting cash withdrawals if they happen in close proximity to address changes. Rethinking those processing windows may be required, along with testing to see if they are effective. Programs that audit transactional activity across multiple platforms and time frames also may be required to counter a multi-channel attack.
The easiest way to defeat a process that relies on mailed confirmations is to simply check the mailbox every day. As banks learned, increased online security created a newfound appreciation for dumpster diving. Online banking has become the hardened target, making whatever was delivered by the postal service comparatively vulnerable. For IT, the challenge is to review and scrub printed output to minimize the chance that personal, confidential and financial information is compromised.
Threats morph as the bad guys gain a better sense of where vulnerabilities are. What once was considered a low-value target can become more attractive when new barriers are created. Nothing illustrates this better than the recent discovery that the Internal Revenue Service is threatened with fraudulent income tax filings. It doesn't take much imagination to extend that analogy to life and annuity carriers.
SELF-SERVICE EXPECTATIONS JUST KEEP GROWING
Another big challenge for carriers comes as more customers demand better, more-functional access to their account information online and on mobile devices. In banking, the security of these end points is increasingly robust, with Federal Financial Institutions Examination Council regulations driving improvements such as multi-factor authentication and cross-channel communications, meaning website codes delivered to different media, such as mobile phones. Carriers need to improve here as well. For products with cash values, such as life and annuity, this is particularly important. There is a wide range of considerations for distribution partners too, where carriers need to balance concerns about security with adverse perceived impact on user friendliness.
GET YOUR GAME PLAN
There is no technology that solves all problems. In an escalating war of attrition, carriers need to be vigilant and add more, and more effective, capabilities to respond to new threats. Some come in the form of technology investment and innovation, others in the form of better and tighter process definition and management.
For example, a banking tool that should also come to insurance is the use of third-party penetration testing services. These services can help carriers identify vulnerabilities and deploy an appropriately layered response. And the responses need to be diversified. Having overlapping but not redundant capabilities helps ensure a flexible, yet hardened, environment. Over-reliance on a single solution set or a single vendor can create the illusion of security but also can introduce brittleness to the environment, which isn't helpful.
Finally, security is a paramount concern when it comes to the use of third-party services and providers. With the proliferation of cloud-based services, it's essential that carriers rethink the way they structure contracts and assess performance. Penetration tests and security audits must become a regular part of developing contractual relationships with suppliers.
Carriers ignore these challenges at their own peril. And deciding to minimize Web-based and mobile capabilities isn't a winning strategy either, because consumers and producers are accustomed to self-service modes, which are flexible and offer near-instantaneous gratification.
The winning approach will be to have a game plan that carefully addresses vulnerabilities while increasing the robustness and responsiveness of the security environment. The best defense is, as always, a good offense.
INNsight is exclusive commentary from Novarica. Robert McIsaac is a principal focusing on life insurance, annuities and wealth management at Novarica, a research and advisory firm focused on business and technology strategy for insurers.
