Data Protection: The Best Policy for Insurers

Similar documents
PAI Secure Program Guide

Trial by fire* Protected. But under pressure to perform

STEPPING INTO THE A GUIDE TO CYBER AND DATA INSURANCE BREACH

How well do you really understand cyber risk?

Terms and Conditions for Hive Active Heating (Hive Active Heating subscription)

Your defence toolkit. How to combat the cyber threat

OLD DOMINION UNIVERSITY PCI SECURITY AWARENESS TRAINING OFFICE OF FINANCE

Privacy Notice. 1. Who we are and our approach to your privacy

Personal Information Protection Act Breach Reporting Guide

Tesco Credit Card General Conditions

Terms and conditions. For mobile customers Mobile Ts&Cs_AW.indd 1 21/09/ :50

We take care of estate administration. Quickly and completely. It s all we do, every day.

Agreement terms M&S CREDIT CARD. Key terms

Financial Services Authority

Cyber COPE. Transforming Cyber Underwriting by Russ Cohen

Negotiating Business Associate Agreements

Vodafone. Insurance. Vodafone. Power to you. Vodafone Corporate Damage and Breakdown Insurance

LIABILITY INTERRUPTION OF ACTIVITIES CYBER CRIMINALITY OWN DAMAGE AND COSTS OPTION: LEGAL ASSISTANCE

HSBC Premier Credit Card. Terms and conditions

BETHPAGE FEDERAL CREDIT UNION INTERNET BILL PAYMENT CONSUMER AND BUSINESS MEMBER AGREEMENT

Changes to our Bank Account Terms and Conditions

THE GLOBAL IT INTEGRATOR FOR TRADING

Explaining risk, return and volatility. An Octopus guide

Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data

Privacy and Data Breach Protection Modular application form

Public Trust in Insurance

Payment Processing. A simple explanation of the entire credit card payment transaction process. We promise.

Cyber, Data Risk and Media Insurance Application form

A distinctive local company with national standards. Practical Credit Control & New [GDPR] Data Protection Regulations

UK Motor Insurance Insights: Managing the challenges of digital risk

The 10 Golden Rules of Trading. A mini ebook in the SmartTrader Series. Paul M King

Extracting tax value from the Internet-of- Things

Cyber breaches: are you prepared?

Direct Saver. Downloadable and accessible brochure. Piece of cake. Open your account with just 1. Enjoy easy access to your savings.

1.5 This policy meets the guidance provided by the ICO on data security breach management.

Construction. Industry Advisor. Fall Year end tax planning for construction companies. How to self-insure your construction business

Vodafone Insurance. Vodafone Insurance Policy Document

Vodafone. Insurance. Vodafone. Power to you. Vodafone Business Premier Inclusive Damage and Breakdown Insurance

FIGHTING FRAUD & CHARGEBACKS 5 STRATEGIES FOR WINNING

Vanilla Mastercard Terms and Conditions

c» BALANCE C:» Financially Empowering You The World of Credit Reports Podcast [Music plays] Nikki:

The Wild West Meets the Future: Key Tips for Maximizing Your Cyber and Privacy Insurance Coverage

- 1 - American Express Charge Card Agreement

A consultation on charging DWP consultation on Better workplace pensions

Trial by fire* Protected. But under pressure to perform

The Guide to Budgeting for Insider Threat Management

Export Controls & Export Restricted Research. Office of Research Compliance Export Compliance

FINAL NOTICE RELEVANT STATUTORY PROVISIONS AND REGULATORY RULES/ PRINCIPLES

2015 EMEA Cyber Impact Report

Effective Corporate Budgeting

MERCER JELF FINANCIAL PLANNING

Beazley Financial Institutions

Connexus Credit Union Online and Mobile Banking Service Agreement and Disclosures

Ball State University

Building the Healthcare System of the Future O R A C L E W H I T E P A P E R F E B R U A R Y

Hayes Connor Solicitors

The Southern Bank Company. Electronic Fund Transfers Your Rights and Responsibilities

Hide and Seek - Cybersecurity and the Cloud

D.L. Evans Online Banking & Electronic Document (E- Document) Agreement & Disclosure

HSBC Premier World Elite Mastercard. Terms and conditions

INSURANCE IN SUPERANNUATION VOLUNTARY CODE OF PRACTICE

Case Study: Rapid Policy Administration Replacement at Philadelphia Insurance Companies July 2011

2 UNLOCK TRAPPED VALUE WITH BLOCKCHAIN: TRANSFORMATIVE POWER FOR BUSINESS OPERATIONS

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT

first direct Single Trip and Annual Multi-trip Travel Insurance Important Information

Bank of Wisconsin Dells Personal Online Banking Agreement and Disclosures (05/2017)

NON-PERSONAL SAVINGS ACCOUNT CONDITIONS. Effective from 13th January 2018.

Tax Digitalization: Latin America leads the change

Privacy & Data Protection Procedure-Box Hill Institute Group

VISA INTELLILINK ADDITIONAL DESCRIPTION DATE TERMS AND CONDITIONS 11.16

ABOUT FREEDOM CLUB ABOUT DR. TONY

Insurance Providing customer advice

d. Please give your name and address, and the policy number shown on your Certificate. 8. Definitions

Business Days For purposes of these disclosures, our business days are Monday through Friday, excluding holidays.

Advent Direct. Harnessing the power of technology for data management. Tackling the global challenges of fund regulations

Article from The Modeling Platform. November 2017 Issue 6

FROM 12 TO 21: OUR WAY FORWARD

4 BIG REASONS YOU CAN T AFFORD TO IGNORE BUSINESS CREDIT!

first direct Credit Card Terms

On-Line Banking Agreement (Consumers Only) Please Retain For Your Records

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

How to be a Ninja Investor

personal credit cards terms and conditions

BMI Card application form

H E A L T H C A R E L A W U P D A T E

Transforming the State and Local Government Payment Process

Open Banking. Setting a path for pensions to follow. Whitepaper

P.O. Box 7560 Baltimore, MD (410) TTY: (410)

Savings account conditions (inc cash ISAs)

Pre-contract credit information

INFORMATION FOR MORTGAGE CUSTOMERS.

503 SURVIVING A HIPAA BREACH INVESTIGATION

TWO Preliminary planning

PCC 2012 Complaints Statistics

Guidance for ADR Applicants - updated CAP 1324

Add our expertise to yours Protection from the consequences of cyber risks

Part 1: Understanding the Major Investment Options

This is the new version of the American Express Cash Services Credit Agreement

Over 50s Life Cover Terms and Conditions

11 Biggest Rollover Blunders (and How to Avoid Them)

Transcription:

Data Protection: The Best Policy for Insurers Trust is everything in the insurance industry. Policyholders expect the highest standards of protection, honesty and security from the firms they use. Particularly when their personal data is involved. Today, any insurance firm that fails to live up to expectations, and does not protect customer data, should expect disgruntled customers to go elsewhere. Not to mention potentially heavy regulatory fines. The digital age has only made this security situation more complex. And it s not just targeted theft or hacking that s at the root of security issues. Instead, innocent human error can also cause huge data loss, purely because of a lack of appropriate data management and restriction systems, or staff who have never been trained on data management. Similarly, whereas data loss would have once involved physical files and folders falling into the wrong hands, the growth of cloud, bring your own device, mobile working and public internet mean that errant information can now quickly make its way around the world, and into the wrong hands.

As such, data is no longer purely an asset. Instead it s a huge, and potentially toxic, liability. Breaches can, and do, lead to fines, reputational damage and customer loss. Yet while some seem to understand this, and are taking steps to implement better data security protocols, for most there are just too many barriers blocking the way. Not least insufficient encryption, a lack of data classification, and understrength (or non-existent) data handling rules. To start managing data with the care it requires, firms need to prioritise a robust data protection roadmap, along with any planned digital transformation initiatives. They need infrastructure that supports the latest encryption and intelligent security solutions. Along with educated end users, managed data sovereignty, and IT teams that understand and contribute to core business goals. This article looks at the big data challenges and what needs to be done to meet them. The problem with data Due to the nature of their business, insurance providers deal with their customers most sensitive personal information, including vital statistics, medical records and banking details. Naturally, this requires robust defences to keep hackers at bay, and to prevent innocent mistakes causing data to fall into the wrong hands. However, in common with many other financial services industries, insurers are struggling to keep up with their responsibilities. Such as understanding what data is stored where and who is in charge of its protection. As well as which employees can access data, the systems needed to keep everything secure, and how technological, operational, and innovation plans should incorporate data protection. Particularly with the number of easily accessible cloud storage options now available. While the problem is multi-faceted, its root cause can be found in several core issues. The first of which, arguably, is the everincreasing amount of pressure being placed on businesses from insurance regulators and governments, and their many global variations. Over the past few years, the level of regulatory guidance to insurers has heightened significantly. With new details issued from companies themselves, as well as from individual governments and the EU. In many large international companies, regulations are distributed to regions by a central office. Yet, with no additional advice on how to interpret and act on it, they are encountering a problem of different regions taking different approaches to the same guidance. Adding yet another layer of complexity to an already tricky area of data management. Some firms are taking what appears to be a forward step in appointing a Chief Data Officer, with whom the data regulatory buck theoretically stops. And who should ensure that regulations are interpreted in a standard fashion around the world. However, in actuality, data compliance remains the legal responsibility of the CEO, who often has no sight of it. Encryption is the clear goal for insurers looking to keep on side of their regulatory requirements. Because it ensures that data is safeguarded whether stolen from a hard drive, or lifted from a lost laptop. And when centrally controlled it negates the lost in translation problem multi-national firms suffer from. But encryption will never work for those firms with a startling lack of clarity over who is actually in charge of it in the first place. Or who suffer from the most needless, yet most common, breach cause of all: the innocent mistake. 2017 CloudTalent Ltd. All rights reserved. 2

The unintended enemy within Unless an information owning organisation knows what data they hold, who can access it and where it can be sent, they are wide open to severe loss or breach. Though while the instinct is often to push back against the external hacker, just as often the problem will begin within the company s walls. And it ll be no one s fault. For example, how likely is this situation: a junior employee is asked to send a document to an external partner, does so and discovers afterwards that the information contained on that document is actually extremely sensitive in nature. The insurance firm that employee works for has now suffered a data breach without even knowing it. There s been no break in. No hack. And no criminal intent from anyone involved in the process. But regulations have been contravened and, when the firm and regulators find out about it, there will be consequences. A worryingly large number of insurance firms today face that exact problem. Indeed 50% of all data leakage issues occur because of innocent user errors. Partly this is because data no longer exists within physical silos. So employees can let sensitive or restricted files out of their organisations very easily. Yet the bigger issue is that many lack a real understanding of how to classify, govern and protect data. When that s the case, encryption is futile and insurers are vulnerable to the severe consequences that come with data loss. Penalties and benefits In much the same way as has taken place in the banking industry, the impact of data breaches can range across entire insurance firms. That s in addition to the reputation damage that extends into the public domain. Understandably, financial penalties may be front-of-mind to those in charge of potentially vulnerable, unprotected data. Yet they are really only the start of the story. Because, while fines ranging into the tens of millions should be expected by an insurance firm that suffers a large breach, there are usually softer costs added on, which make the matter far worse. For instance, if a company suffers a breach in which sensitive personal customer data is taken, that firm may be obliged to carry out a check for each potentially affected individual to see if their information has been lost. And although the cost of each check is not huge perhaps as low as 10 when multiplied by thousands of customers, it can quickly grow to become a major concern. Then there is the negative effect it has on a company s reputation. A breach can be so public and so newsworthy that good sentiment will erode quickly, encouraging current customers into the arms of rivals, and deterring future business. Staying clear of trouble The need for insurance firms to better protect their data has never been clearer. As such, some companies are looking at how they can use technologies to bring their data protection protocols in line with where they need to be. Importantly, these innovators are not just looking at one level of data protection such as encryption. They are working with industry experts to take a thorough overview of their systems and tools to ascertain where threats may exist, where data protection and classification needs boosting, and how to balance higher security with the smooth running of the organisation. It s a multi-layered approach. Yet a good first step is to implement philosophies, solutions and a programme of education to eradicate those innocent, yet entirely unnecessary, mistakes that allow data to get out. The starting point for this should be a data classification exercise, which will give insurers an understanding of what they own and its toxicity to them, and their clients, if in the wrong hands. Next should be the creation of a clear and understandable data governance programme, dictating the levels of permissions for each employee role so people cannot access or distribute certain datum and what data should under no circumstances be shared outside the organisation without appropriate data handling in place. 2017 CloudTalent Ltd. All rights reserved. 3

Fortunately for insurers, they can build the technology that does this into a wider transformation programme. Office 365, for example, offers an automated, intelligent and analytical cloud-based solution that sits above the rest of the business s technology and manages how workers access and use data. Importantly, this technology offers two levels of protection, either restriction or warning. So firms can either completely block employees inadvertently accessing sensitive data, or tell them that they are trying to do so, asking at the same time if they d like to continue. With this functionality, insurers can not only stop innocent mistakes, they can encourage staff to learn from the mistakes they might otherwise have made. After improving data classification and sovereignty, the task is to return to encryption. Crucially now, with greater visibility, firms will not only know what needs to be encrypted, but who the owner of the policy will be. At the core of this must be the encryption of data when at rest and in transit, so all eventualities are covered. As well as management of encryption keys, which for most firms will be informed by regulations. However, both encryption and classification will be understrength if they are not part of a total desktop and device transformation strategy. As such, CIOs working in insurance should be asking themselves big questions. Such as, am I implementing policies that only allow properly encrypted USB drives to operate when plugged into owned devices? And, do I have tools in place to stop data access when a user connects to an unsecured network, or attempts to upload sensitive documents to Dropbox? Similarly, CIOs need to take a look at what infrastructure they have and if any legacy technology is going to cause problems by being unable to work according to new regulations. There is a common complaint that tight security can impede business efficiency. So ensuring a fine balance between the two is vital to introducing data security protocols that the whole business will actively get on board with, and take seriously. Above all, security must be part of enterprise IT architecture and not an afterthought. However, that depends on the business taking more ownership of data security, and working closely with IT and the C-suite to define an appropriate security framework. Better security means better business Every insurance firm s path to improved data protection will be different. It will depend on where they are in their digital transformation journey. As well as on how they want to balance risk and security. Then on the management s will to abandon legacy technologies that don t support the best modern security systems, and upgrading to those that will. Key to success is involving expert providers, who will spend time working with a business to understand their precise needs and develop policies that cater to them. Experts who know that the path to robust data security may be long and challenging, but that the rewards are there for those who take it. If you want to know more about data protection for insurance, speak to CloudTalent, a strategic advisory business that has a unique approach for identifying a company s current state and defining its future state. This approach has helped` companies optimise costs, improve services and reduce risks for their business by helping to transform their IT. www.cloudtalent.avanade.com 2017 CloudTalent Ltd. All rights reserved. 4

About CloudTalent CloudTalent, an Avanade company, is a UK-based, strategic advisory business with a highly experienced management team and professionals. Founded as the Network Storage company in 2002, we help clients from many different industries transform their business by transforming their IT. We employ some of the UK s leading experts in IT and business transformation. We have over 500 members in our associate network and are proud of our impartial, practical and expert approach. For more information about CloudTalent and our unique Line of Sight transformation methodology please visit www.cloudtalent.avanade.com CloudTalent Ltd. 60 Queen Victoria Street London EC4N 4TR contact@cloudtalent.co.uk +44 (0) 20 7025 1000 2017 Avanade Inc. All rights reserved.

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback