Many insurance companies aspire to sell policies to their customers that will provide financial mitigation against cyber-attacks. That is all well and good, but they need to make sure their own houses are order first.
A recent Quocirca research report, Room for improvement, Building confidence in data security, which was sponsored by Digital Guardian, showed that by some measure, financial services were the most confident about data security. However, whilst more than half of financial services organisations are very confident about data security, 4% are not that confident. It seems insurance companies lie at the lower end of this scale.
Quocirca attended a recent round table in the UK attended by IT security heads from leading insurance companies hosted by Entrust Datacard, a provider of strong authentication tools, digital certificates and online fraud prevention products. If the views of the dozen or so attendees are anything to go by, the insurance sub-sector has a lower level of confidence about data security than banks (of course, some organisations have a foot in both camps, so called bancassurance). Why?
For a start, whereas banks deal directly with their customers money, for insurance companies it is largely secondary, in other words, if your bank account is hacked money may be transferred, it is harder to exploit and online insurance account.
Secondly, it was evident that one of the biggest concerns for insurers is insurance fraud, however carried out, and it was not clear that this was harder or easier to deal with as the industry has moved online.
It was agreed that the two obvious area of vulnerability for insurers were the protection of personal and payment card data. Protecting both is of course a regulatory requirement in the EU, but also makes good business sense. An insurance company may be targeted for such data, not because it is an insurance company per se, but because its defences are weaker.
However, some interesting insurance specific threats also emerged. Stealing lists of policy holders would be useful for planning crimes, for example the targeted thefts of high value cars.
Another involved intellectual property (IP); as quoting for insurance has moved online, the industry has become highly competitive. To appear high on the listings of comparisons sites, where many insurance buyers end up, involves quoting via tightly guarded algorithms, some felt there was a possibility of industrial espionage in this area.
The insurance supply chain may also be vulnerable; many policies are sold via agents and brokers. However good a given insurance company’s own data security is, their Achilles’ heel could well turn out to be a smaller partner. It was noted that some well publicised data breaches relied on compromising smaller partners to find a way into a larger organisation’s IT systems. There should be an onus on insurers to advise and certify the security of it supply chain partners.
There are of course many benefits of being able to safely transact online. Other Quocirca research, not yet published, shows that confidence in the omni-channel (the mix and match of mobile apps, web sites, telephone, face-to-face etc.), which the attendees at the event agreed they need to embrace, goes hand-hand with higher levels of confidence in data security.
Another was being able to verify the ownership of insured assets, many of which can now be certified electronically via the internet-of-things (IoT), reducing the possibility of fraud.
As insurance companies seek to sell other businesses policies that address online risk, they will price protection depending on the security measures put in place to mitigate that risk. As the sector relies more and more on online interaction to keep up with its customers, insurers cannot afford to be seen to fall short of the IT security standards they expect of those they insure.