In the old days, movie and TV crime thrillers focused on nefarious villains going to extraordinary lengths to rob cash, precious metals, or rare jewels from supposedly impregnable vaults. But now the most feared criminals don’t have to leave the comfort of their own homes to do their dirty work. They can remotely infiltrate a company’s technology infrastructure to steal one of the most valuable commodities sought on the black market today—personally identifiable information.
The more virtual we become in conducting our business, the more vulnerable we’re becoming to identity theft. No one is safe, given the amount of material we share that could come back to haunt us if our private information falls into the wrong hands.
Virtually no major business is immune from data security exposures. But for the moment, let’s focus on one industry with which we in the claims management field are all very familiar—insurance.
Data is the lifeblood of the increasingly tech-driven insurance business. If infected by a maliciously planted computer virus or victimized by a parasite who hacks into their systems, insurers could face legal liabilities that might cost millions to redress.
Even minimal data breaches can be very costly for insurers. Once an intrusion is discovered, a series of claims management responses is often set in motion regardless of whether individual or class-action lawsuits are ever filed. For example, there might be direct expenses for:
-
Additional security to close the breach;
-
Data forensics to learn exactly how the breach occurred and who was affected;
-
Policyholder notification and possible restitution;
-
Call centers to handle public queries;
-
Credit checks for those whose personal information might have been compromised; and
-
Regulatory compliance/penalties.
However, it is the indirect costs in terms of reputational damage that, while harder to measure, might turn out to be the far greater loss if a cyberattack spooks policyholders and prospects, prompting them to seek safer data harbors to dock their most sensitive information.
Data breaches are not an idle threat for insurers. Indeed, about 40 percent of 46 major insurance organizations experienced one or more cyberattacks in the prior 12 months, according to the “2012 Global Financial Services Security Study” released last summer by Deloitte Touche Tohmatsu Ltd. At the same time, the Deloitte survey found that 43 percent of insurance company respondents do not believe they are adequately equipped to fend off an intrusion and protect sensitive customer data.
Meanwhile, insurers are bracing for the possibility of more stringent consumer protection laws, as well as regulations requiring much more disclosure about data security efforts and details regarding any breaches that occur. This at a time when the amount of data being mined, collected, and stored by insurers is multiplying exponentially in the quest to improve operational effectiveness and efficiency, especially when it comes to claims management and fraud prevention.
Yet insurers cannot afford to live in a cave. A growing number of customers expect 24/7 access to their carriers via desktops, laptops, tablets, and mobile phones. Claims adjusters and agents in the field have the same expectations.
The question then becomes how might insurers better protect customer data, while limiting the damage if a breach occurs despite their loss control efforts.
Part of the problem is that the threat is becoming more and more complex. The cybercrime community includes not only lone wolves preying on susceptible systems, but also organized criminal syndicates, third-party enablers, and corporate insiders. Attack points are not limited to an insurer’s main information technology infrastructure, as hackers also seek back-door access through perhaps less secure mobile, social media, or remote cloud computing systems.
It’s worth it for insurers to account for each of these potential access points, as Deloitte did during a webcast for insurers last summer, examining “The Evolution of IT Security Risks Confronting the Insurance Industry.”
Take cloud computing, for example. Clouds offer insurers a tremendous opportunity to transform their legacy IT systems overnight. Clouds provide the benefits of scale while allowing insurers to outsource staff and hardware in a non-core area. But, unfortunately, there are inherent risks when insurer data resides off-site, which is one big reason why 40 percent of those insurance organizations surveyed by Deloitte said they had not yet taken the plunge into cloud computing.
In Deloitte’s IT security webcast, insurers were urged to “trust but verify” before transferring sensitive data to clouds. Data security should be a prime due-diligence factor when assessing potential cloud vendors, with insurers reserving the right to spot-check security capabilities on a regular basis. They were also advised to know where the cloud components and their data will be warehoused, as well as who will be responsible for risk management and their qualifications for this critical job.
A key piece of advice was for insurers to remember that, while they may be able to outsource functions, they cannot outsource risks when it comes to data security. If a cloud is compromised, the insurer is the one ultimately responsible for a policyholder’s data privacy. And it is the insurer—not just the vendor—whose reputation could be irreparably harmed by a breach.
At the same time, exposures are rising as insurance personnel become more virtual, taking sensitive data along for the ride. Claims adjusters are among the most mobile of insurance company personnel, and they carry a veritable treasure trove of information around with them—at times to chaotic, often unsecured sites. This is particularly true wherever a catastrophe strikes, when a valuable piece of equipment (and the data it holds) is more vulnerable to being lost or stolen.
Webcast attendees were also warned that the proliferation of mobile apps may complicate the enforcement of enterprise security standards. Yet despite these concerns, more than half of those insurance organizations surveyed by Deloitte last year said they did not have data loss prevention programs in place specifically for mobile devices.
Insurers should therefore lock down data access on mobile systems as tightly as possible. That means taking security capabilities and limitations into consideration in purchase decisions, while configuring mobile devices to minimize the chance they might be hacked or tampered with. Training employees and putting protocols in place to lower the odds of mobile equipment being lost or stolen while in the field is also critical.
On social media, many carriers are still working to develop a comprehensive strategy to create relationships that go beyond using the platform as a virtual billboard. However, insurers cannot afford to lose sight of the associated risks as social media opens up new avenues for a possible attack.
While insurers cannot afford to abandon or avoid social media out of security concerns, they should take such considerations into account in setting policies to manage data access in this still evolving channel.
Of course, many data-intensive businesses buy insurance to cover their breach exposures. There’s no reason why insurers couldn’t transfer some of these risks to other carriers that specialize in this developing field. And there are experts who can provide loss control advice to insurers to help prevent breaches from happening in the first place, as well as crisis management services if the worst-case scenario becomes a reality and a carrier’s policyholders (and reputation) are at risk.
In the end, all of these data security concerns should be balanced with practical considerations. Setting up too many limits and protocols could end up undermining the value of data-management systems and mobile devices to insurance claims managers and their colleagues.
After all, the existence of jewel thieves doesn’t mean people should shelter their valuables so thoroughly as to be inaccessible or that they should stop wearing jewelry altogether. There has to be a happy medium. The need for data protection should therefore be weighed against productivity concerns to produce a reasonable, workable loss-control and claims management program customized for each carrier’s unique exposures.
Then, keep your fingers crossed.
Sam Friedman is insurance research leader with Deloitte’s Center for Financial Services in New York. He has been a CLM Fellow since 2011 and can be reached at samfriedman@deloitte.com.