The need to protect sensitive data is attracting more attention than in the past with the recent introduction of the Notifiable Data Breaches scheme in Australia and Europe’s General Data Protection Regulation (GDPR). Insurance companies are particularly affected because they have access to incredibly sensitive customer data. They need to protect it to comply with privacy and data breach laws, as well as to maintain their customers’ faith, according to Atradius.
As other sectors such as banking become more secure, the insurance industry is becoming an increasingly-attractive target due, in part, to the valuable data insurers hold on individuals. Customers of insurers and customers being serviced and managed by brokers, are really getting aware about data privacy and need assurance that the information they share is protected and not used/passed on without their knowledge and consent.
Mark Hoppe, managing director, Australia and New Zealand, Atradius, said, “Data is the lifeblood of insurance companies; without accurate and comprehensive data it’s almost impossible to provide a viable and sustainable offering. Therefore, insurance providers need to take every possible measure to protect data. These new regulations provide insurance companies with an opportunity to adjust and improve to protect data and demonstrate to customers that they’re committed to protecting their privacy.”
Risk management is bread and butter to insurance companies but managing their own exposure to cyberthreats can prove challenging.
KPMG’s recent Global CEO Outlook survey revealed that less than half of the insurance CEOs surveyed (43 per cent) said that their organisation was fully prepared for a cyber event. (1) This statistic becomes even more worrying considering the increasing amount of insurance transactions occurring online. This online activity provides targets for cybercriminals and every point needs to be secured.
Insurance providers can focus on five key areas to address cyber risks:
- Elevation
Insurers can’t leave cybersecurity to the IT team in isolation. Most organisations have elevated cybersecurity to a boardroom issue and insurance providers must do the same. This includes appointing a senior executive to the C-suite so business decision-makers can get a clear picture of cyber risk and what’s being done to address it. - Posture
Insurance providers need to ensure their cybersecurity posture is strong. This means reviewing the capabilities that are already in place, identifying any gaps, then plugging the gaps as needed. Where best practices are already in place, insurers need to populate those throughout the organisation. - Communication
Everyone in the organisation needs to understand that security is their responsibility, from the CEO down. This includes understanding where vulnerabilities could come from, such as third-party suppliers and partners, agents, and employees with access to sensitive data. Insurance brokers and advisers are right at the front-end so the insurance companies need to make sure that they are across the topic and understand it at the same level. - Collaboration
Leaders throughout the organisation need to work together to understand how to meet the cyber challenge most effectively. Distributing resources appropriately and creating a clear cyberattack response plan are crucial. - Planning
Organisations need to develop a cyber response plan and review it regularly to ensure they’re prepared for an incident. This includes delineating responsibilities, training all team members, and practising for potential scenarios.
Mark Hoppe said, “Insurance companies need to prioritise cybersecurity like never before. This is important to comply with evolving legislation and, even more crucially, it helps demonstrate to customers that the business is committed to their privacy and it protects the valuable data that insurers rely on.”
Reference:
(1) KPMG: Closing the Gap: Cyber Security and the insurance sector. July 2017
