Balancing Innovation with Cybersecurity in insurtech
Tried and tested legacy processes, controls, and systems typically underpin a complex industry where significant barriers to entry exist.
Within this landscape, small and agile Insurtech start-ups are continually pushing the boundaries of innovation, causing traditional brokers and carriers to also more rapidly leverage technology that will improve the digital customer experience. Digital transformation is at the heart of the changing landscape in the insurance space today, offering smoother, faster ways for insurers to interact with customers and modernise underwriting, policy administration, billing, and other core processes. However, with greater levels of innovation comes the need for stronger security infrastructure. Companies need to find ways to balance innovation with security; risk taking with risk aversion.
Cyber risk in the insurance industry
As the digital transformation trend continues to disrupt traditional insurance companies and regulations continue to evolve, security is of course a fundamental requirement. Insurance companies are frequently near the top of the list when it comes to cyberattacks given the obvious value of the data they hold. The things that makes insurance companies a magnet to cybercriminals is a combination of factors including the adoption of sophisticated business process tools and the greater use of big data and cloud technology.
Compliance regulations may provide a degree of protection if adhered to fully, but this simply is not enough. The insurance industry is subject to a variety of regulatory standards, including GDPR in Europe and HIPAA in the U.S., which span the spectrum from being very granular to incredibly vague. Irrespective of where a regulation falls within that spectrum, the costs for non-compliance are clearly significant, ranging from fines to reputational damage.
Just last November, Sweden’s largest insurer, Folksam, admitted to accidentally sharing private data on approximately one million of its customers to companies including Facebook, Google, LinkedIn, and Microsoft. Based on its global turnover, the company could be facing a hefty fine well into the hundreds of millions under the GDPR. Whilst in some ways regulatory standards may force insurers to rethink their cybersecurity strategies as well as also hold them accountable for accidental data breaches, it does little to combat the wider issue of cybercrime.
Proactive cybersecurity measures are key
For insurers, understanding which of these regulatory standards apply to their software and deployment environment is the first step. What is vital and often particularly challenging however, is translating the individual regulatory requirements into security controls and development activities that are understandable by DevOps teams.
It is straightforward to deliver functional requirements for software, but security policies and requirements are often seen as a roadblock to the delivery process. For example, not accepting malformed data (such as special characters and negative numbers) or prohibiting hardcoded credentials takes precious extra time during tight development and testing cycles. Remembering to address security concerns is difficult when the focus is on rapid delivery of functional requirements in a fixed period.
While security testing helps in identifying vulnerabilities, insurers that proactively identify security risks and threats prior to the development process can make security requirements part of the developers’ assigned tasks. This is possible because a lot of the security threats to software can be linked directly to its architecture, technical stack, and deployment environment.
As regulations continue to mature, there will be increased emphasis on provenance and traceability. In today’s fast-moving business context, that implies shorter risk assessment lifecycles and continuous monitoring against regulatory policies. One way this is being achieved is through Balanced Development Automation platforms that bridge the gap between security and DevOps teams.
BDA tools focus on leveraging security proactively as a way of achieving speed to market whilst also adhering to set compliance regulations and standards. This means insurance companies can benefit from automating key proactive manual security processes that are often skipped due to its complexities.
By identifying threats and regulatory obligations in advance, engineering teams have clear tasks for integrating security in addition to functional requirements along the software development lifecycle. When security is built into software in this way from the outset, we can validate that security related tasks were completed as planned and ensure that digital transformation activities will succeed.
Insurtechs are winning the race with legacy system companies
Nestled in its own place within the world of financial services, insurance is arguably more unpopular than retail banking.
That’s hardly surprising given that, from a customer service perspective, insurance is something of an off-kilter transaction. You pay a sizable premium in exchange for a service you hope you will never have to use. This image problem is exacerbated by ubiquitous tales of insurers not paying out when it is time to make a claim.
The insurance sector has long been due to an overhaul, and this is where the disruptive force of insurtech comes in - one of fintech’s most upwardly mobile subcategories. Accordingly, last year, insurtech in the UK alone attracted £262m in investment, a growth of 60% on 2019, according to Tech Nation. Insurtech’s momentous growth has been captured in a new report by The AI Journal exploring this burgeoning sector.
What exactly is insurtech?
Put simply, insurtech refers to technological innovations that seek to make insurance cheaper to buy and more efficient to use. In a similar vein to fintech, the large, established institutions have been dipping their toes into insurtech, but it’s the disruptors who are genuinely looking to shake up the status quo, diving into and exploiting those areas that traditionalists have little imperative to explore.
Examples are price comparison sites (one of the earliest forms of insurtech that was eventually snapped up by the insurers it initially sought to disrupt), claims software, customisable policies, or even smart-tech-enabled dynamic policies whose premiums can fluctuate depending on changing circumstances.
The latter, for instance, could use someone’s fitness tracker or smartwatch to monitor fitness levels, thus reducing the premium of a life insurance policy; or track a GPS system that records the location of a car and assesses risk levels accordingly.
Most consumers tend to shop around for their insurance needs and perhaps end up buying their contents insurance with one provider, their car insurance with someone else, and their pet insurance with yet another underwriter. Managing all these different policies, with their varying renewal dates and payment terms can be complex. This has led to the increase in apps that pull everything together.
More prosaically, insurtechs are developing AI that uses machine learning to act as an insurance broker, eliminating the need for a human intermediary and therefore offering more cost-effective and impartial advice.
Insurtechs and risk
But there are some obstacles in the way of insurtech’s continued evolution.
Insurance companies are averse to risk. Understandably so, as at the crux of the industry is the role of the actuary, whose job it is to analyse and measure the probability and risk of future events. So it’s little wonder that there’s a reluctance among the traditional players to welcome the disruption that insurtech brings.
Insurance is heavily regulated, a minefield of legality and labyrinthine jurisdiction, which means the idea of shaking it up can be anathema. And why would they, when their old-school business models are working perfectly fine?
There’s an understandable nervousness and unwillingness to work with startups, who themselves need to work with the bigger firms in order to underwrite risk.
While it seems like a catch-22 situation, there is growing, if cautious, interest from insurance companies, who can see the benefits of insurance with a friendlier face, innovative solutions, and a competitive edge through differentiation. As that tentativeness dissipates, the growth of insurtech will gather even more momentum.
Tom Allen's analysis is based on the findings of a new report on the fintech and insurtech industries produced by The AI Journal.