Balancing Innovation with Cybersecurity in insurtech
Tried and tested legacy processes, controls, and systems typically underpin a complex industry where significant barriers to entry exist.
Within this landscape, small and agile Insurtech start-ups are continually pushing the boundaries of innovation, causing traditional brokers and carriers to also more rapidly leverage technology that will improve the digital customer experience. Digital transformation is at the heart of the changing landscape in the insurance space today, offering smoother, faster ways for insurers to interact with customers and modernise underwriting, policy administration, billing, and other core processes. However, with greater levels of innovation comes the need for stronger security infrastructure. Companies need to find ways to balance innovation with security; risk taking with risk aversion.
Cyber risk in the insurance industry
As the digital transformation trend continues to disrupt traditional insurance companies and regulations continue to evolve, security is of course a fundamental requirement. Insurance companies are frequently near the top of the list when it comes to cyberattacks given the obvious value of the data they hold. The things that makes insurance companies a magnet to cybercriminals is a combination of factors including the adoption of sophisticated business process tools and the greater use of big data and cloud technology.
Compliance regulations may provide a degree of protection if adhered to fully, but this simply is not enough. The insurance industry is subject to a variety of regulatory standards, including GDPR in Europe and HIPAA in the U.S., which span the spectrum from being very granular to incredibly vague. Irrespective of where a regulation falls within that spectrum, the costs for non-compliance are clearly significant, ranging from fines to reputational damage.
Just last November, Sweden’s largest insurer, Folksam, admitted to accidentally sharing private data on approximately one million of its customers to companies including Facebook, Google, LinkedIn, and Microsoft. Based on its global turnover, the company could be facing a hefty fine well into the hundreds of millions under the GDPR. Whilst in some ways regulatory standards may force insurers to rethink their cybersecurity strategies as well as also hold them accountable for accidental data breaches, it does little to combat the wider issue of cybercrime.
Proactive cybersecurity measures are key
For insurers, understanding which of these regulatory standards apply to their software and deployment environment is the first step. What is vital and often particularly challenging however, is translating the individual regulatory requirements into security controls and development activities that are understandable by DevOps teams.
It is straightforward to deliver functional requirements for software, but security policies and requirements are often seen as a roadblock to the delivery process. For example, not accepting malformed data (such as special characters and negative numbers) or prohibiting hardcoded credentials takes precious extra time during tight development and testing cycles. Remembering to address security concerns is difficult when the focus is on rapid delivery of functional requirements in a fixed period.
While security testing helps in identifying vulnerabilities, insurers that proactively identify security risks and threats prior to the development process can make security requirements part of the developers’ assigned tasks. This is possible because a lot of the security threats to software can be linked directly to its architecture, technical stack, and deployment environment.
As regulations continue to mature, there will be increased emphasis on provenance and traceability. In today’s fast-moving business context, that implies shorter risk assessment lifecycles and continuous monitoring against regulatory policies. One way this is being achieved is through Balanced Development Automation platforms that bridge the gap between security and DevOps teams.
BDA tools focus on leveraging security proactively as a way of achieving speed to market whilst also adhering to set compliance regulations and standards. This means insurance companies can benefit from automating key proactive manual security processes that are often skipped due to its complexities.
By identifying threats and regulatory obligations in advance, engineering teams have clear tasks for integrating security in addition to functional requirements along the software development lifecycle. When security is built into software in this way from the outset, we can validate that security related tasks were completed as planned and ensure that digital transformation activities will succeed.