By Altaz Valani, Director of Insights Research at Security Compass
Insurance companies have traditionally been cautious when it comes to adapting to change, particularly when that change is a digital one. Tried and tested legacy processes, controls, and systems typically underpin a complex industry where significant barriers to entry exist.
Within this landscape, small and agile insurtech startups are continually pushing the boundaries of innovation, causing traditional brokers and carriers to more rapidly leverage technology that will improve the digital customer experience. Digital transformation is at the heart of the changing landscape in the insurance space today, offering smoother, faster ways for insurers to interact with customers and modernise underwriting, policy administration, billing, and other core processes. With greater levels of innovation comes the need for stronger security infrastructure. Companies need to find ways to balance innovation with security; risk tolerance with risk aversion.
Cyber risk in the insurance industry
As the digital transformation trend continues to disrupt traditional insurance companies, and regulations continue to evolve, security is a fundamental requirement. Insurance companies are frequently near the top of the list when it comes to cyberattacks given the value of the data they hold. There are a number of factors that make insurance companies a magnet for cybercriminals, including the adoption of sophisticated business process tools and the use of big data and cloud technology.
Compliance regulations may provide a degree of protection if adhered to fully, but this simply is not enough. The insurance industry is subject to a variety of regulatory standards, including GDPR in Europe and HIPAA in the U.S., which span the spectrum from being very granular to incredibly vague. Irrespective of where a regulation falls within that spectrum, the costs for non-compliance are clearly significant, ranging from fines to reputational damage.
In November 2020, Sweden’s largest insurer, Folksam, admitted to accidentally sharing private data of approximately one million of its customers with companies including Facebook, Google, LinkedIn, and Microsoft. Based on its global turnover, the company could be facing a hefty fine well into the hundreds of millions under the GDPR. Whilst in some ways regulatory standards may force insurers to rethink their cybersecurity strategies and hold them accountable for accidental data breaches, it does little to combat the wider issue of cybercrime.
Proactive cybersecurity measures are key
For insurers, understanding which of the regulatory standards apply to their software and deployment environment is the first step. What is vital and often particularly challenging, however, is translating the individual regulatory requirements into security controls and development activities that are understandable by DevOps teams.
It is straightforward to deliver functional requirements for software, but security policies and requirements are often seen as roadblocks to the delivery process. For example, not accepting malformed data (such as special characters and negative numbers) or prohibiting hardcoded credentials adds precious time during tight development and testing cycles. Remembering to address security concerns is difficult when the focus is on rapid delivery of functional requirements in a fixed period.
Insurers that proactively identify security risks and threats prior to the development process can make security requirements part of their developers’ assigned tasks — a lot of the security threats to software can be linked directly to its architecture, technical stack, and deployment environment. As regulations continue to mature, there will be increased emphasis on provenance and traceability. In today’s fast-moving business context, that implies shorter risk assessment lifecycles and continuous monitoring against regulatory policies. This can be achieved through Balanced Development Automation platforms that bridge the gap between security and DevOps teams. BDA tools focus on leveraging security proactively as a way of achieving speed to market whilst also adhering to set compliance regulations and standards. This means insurance companies can benefit from automating key proactive manual security processes that are often skipped due to its complexities.
By identifying threats and regulatory obligations in advance, engineering teams have clear tasks for integrating security in addition to functional requirements along the software development lifecycle. When security is built into software from the outset, organisations can validate that security-related tasks were completed as planned, and ensure that digital transformation activities will succeed.