As insurance businesses move from old tech to newer digital systems and products, they could be opening themselves up to security risks.
Insurtech companies should be implementing strict, multi-level security systems to prevent the sensitive personal data their clients share with them from falling into the wrong hands.
Global consulting firm Deloitte says: “Cyber-attacks in the insurance sector are growing exponentially as insurance companies migrate towards digital channels in an effort to create tighter customer relationships, offer new products and expand their share of customers’ financial portfolios.”
Aside from the cost of a security breach – which IBM’s Cost of a Data Breach Report says came in at a global average of $4,45-million in 2023 – the impact on client confidence in a brand is immeasurable.
“Securing data is not a simple task, and no single method is entirely foolproof against increasingly sophisticated hackers. Any insurance company worth its salt should have a multi-layered approach that extends from infrastructure, to network, through to development and staff behaviour to ensure that your data is safe,” says Jared Lesar, head of legal at insurtech platform Root.
He points out that government regulations such as the UK’s Financial Conduct Authority Handbook and guidance on cloud outsourcing, as well as South Africa’s Fiscal Sector Conduct Authority’s proposed standards for cyber security provide detailed guidance on how to approach outsourcing. Compliance with industry standards such as ISO 27001 and SOC2 is also essential.
Lesar summarises the five things these regulations and standards govern in the insurtech space.
Cloud Infrastructure
Cloud-hosted data and infrastructure have a number of built-in security features that make them more secure than on-premises options. Most enterprise-scale cloud storage providers, like AWS, implement stringent measures to protect the security of their data centres and cloud infrastructure.
They also store multiple copies of your data in multiple data centres around the world; if one goes down for whatever reason, your data remains secure and downtime is minimised.
“Sophisticated insurtech companies will allow you to provision a private instance of their platform in a cloud region of your choice,” Lesar adds.
Network Security
With an average of over 2 000 cyber-attacks taking place somewhere in the world every day, network security is essential.
According to Deloitte, “cyber-criminals have started to recognize that insurers possess large amounts of personal information about their customers, which is very attractive to identity thieves and fraudsters”, so network security is something no insurtech should take lightly.
Insurtechs should employ a mix of security measures including firewalls, anti-virus software and technologies that monitor and block malicious activity, Lesar notes.
Access Control and Authentication
Access to production infrastructure should be limited to a need-to-know basis and employees accessing the platform should be subjected to two-factor authentication.
As an added layer of security, Lesar says credentials should never be shared by staff, and they should use a password manager, which creates and stores strong passwords, as standard.
Secure Development
Security needs to be built into an insurtech platform at every stage.
“To ensure the utmost security during the development process, development and staging environments should be separate from production environments,” Lesar says. “No live personal information should ever be permitted in non-production environments.”
He advises that software developers should be familiar with secure coding practices, and should peer-review code before it is deployed to production environments.
Security Auditing
An insurtech that takes their security seriously will have undergone a third-party security audit of its internal security controls.
Says Lesar: “Insurtech companies should be transparent about these third-party reports, and as a client, you have a right to ask about audits. They may share the audit reports with you under a non-disclosure agreement, but the reports should be available to you.”