The insurance industry holds vast amounts of sensitive, personal and financial information on the customers it insures. It’s therefore obvious to see why insurance would be a valuable target for financial criminals.
According to IBM’s latest Threat Intelligence Index, the finance and insurance industries are the second biggest target globally for scammers, accounting for nearly a quarter (22.4%) of all known cyber attacks. Only the manufacturing sector recorded more attacks in 2021, something which IBM attributes to emerging vulnerabilities such as the weakening of global supply chains. It was the first time in more than five years that finance and insurance was not the most targeted industry, highlighting the persistent threat that exists to insurance carriers and insurtechs.
GRC International Group is a provider of IT governance, risk management and compliance solutions. Its CEO, Alan Calder, tells InsurTech Magazine: “Cybercriminals are pros at accessing, exfiltrating and monetising personal databases. They’re good at extorting organisations that hold personal data, and then extorting the data subjects to keep the data confidential. Insurers, like all organisations, are being pushed into increasing digitisation and automation and, unless cyber security and privacy issues are considered in detail as part of project planning, organisations tend to leave large holes in what should be secure systems. Cyber criminals find and exploit these gaps. As well as these technical vulnerabilities, cyber criminals regularly ‘social engineer’ staff into providing access to systems and data.
“This all means that insurers have to build privacy by design into their systems, and they have to train and keep their staff continuously aware of the ever-changing social engineering attacks that are being focused on them.”
The dangers around personal data for insurers
As the insurance industry migrates onto new technology, it needs to constantly assess its vulnerabilities. If a new platform exposes an insurer to fraudsters, it is clearly more of a liability than an asset. Throw into that mix a growing number of partnerships, acquisitions and integrations within the sector and you begin to see the extent and nature of risk that insurers face.
“One of the biggest concerns in the insurance sector when it comes to using data is how widespread party sales functions are,” says independent data consultant Caroline Carruthers, who was one of the UK’s first Chief Data Officers at Network Rail and now advises public and private organisations on their use of data.
“Agents who sell insurance often use third-party data, and they don’t always have a robust process for how data is transferred to each organisation. That in itself is a foundation-level issue because if you can’t rely on consistent, quality data coming to you, and you can’t rely on consistent governance and security of that data, you’re approaching data transformation with your hands and feet tied.
“Any transfer of data between two different systems has an element of risk. Thankfully, most insurance companies have moved on from manual data entry, which poses the highest risk, but not enough companies have standardised how they transfer and store data across third parties. If you’ve paid for a lot of data from external sources, you need to be able to use it to drive value instead of being hampered by poor processes.”
Are consumers still willing to share their data with insurers?
Despite the high stakes, consumers don’t seem to be put off from sharing their data with insurers in the first place – particularly if they get an incentive in return. However, consumers are still mindful about the use and misuse of their data. More than 80% of consumers worry about how their personal details are being used online, according to ecommerce company Motive.co.
But there are silver linings: a survey of 1,000 North American consumers by McKinsey found that financial services was the joint most trusted sector when it comes to personal data being kept securely. In terms of preventing breaches, establishing robust systems and closing vulnerabilities are important. But in terms of public perception, how you engage with customers can be crucial – not in terms of securing your business against cyber attacks, but in terms of being seen to do the right thing.
According to McKinsey’s survey, not asking customers to provide irrelevant data and reacting quickly and positively to hacks were the two highest-scoring trust markers – the only steps that insurers could take that resonated with more than half of McKinsey’s respondents.
Joe Diamond, VP of Product Strategy EMEA for identity platform Okta, says: “When the General Data Protection Regulation (GDPR) first came into force in 2016, it marked the beginning of similar laws protecting individuals’ right to privacy and consumers’ control over their personal data. Within Europe… a clear majority (55%) of respondents to Okta’s Digital Identity survey voiced their support for this legislation.
“Consumers now truly understand the value of their data and believe its privacy should be protected, but this doesn’t mean they’re unwilling to share their information. In general, people are becoming more inclined to exchange their data for money, goods, services or other benefits when they believe they’re getting something worthwhile in return. This is no different within the insurance industry, which has historically driven the enhancement of both security and safety across many industries.”
Caroline Carruthers explains how insurers can do this: “Black boxes on cars are a great example of how data can help both the consumer and the insurer: by giving more ‘at risk’ drivers a chance to prove that they drive safely, insurers give them a route out of having to pay a higher premium, whilst insurers get the peace of mind that a financial incentive will generally encourage drivers to be more cautious. However, insurers should also be looking at this as an educational tool rather than a heavy-handed stick: data shouldn’t just be used to charge less cautious drivers or less healthy people more for their insurance. Rather, it should be used to reward those who are doing better. Ultimately, it’s in an insurer's best interests for someone not to claim, so positive reinforcement of good, non-risky behaviour will benefit them too.”