Data Protection: The Best Policy for Insurers Trust is everything in the insurance industry. Policyholders expect the highest standards of protection, honesty and security from the firms they use. Particularly when their personal data is involved. Today, any insurance firm that fails to live up to expectations, and does not protect customer data, should expect disgruntled customers to go elsewhere. Not to mention potentially heavy regulatory fines. The digital age has only made this security situation more complex. And it s not just targeted theft or hacking that s at the root of security issues. Instead, innocent human error can also cause huge data loss, purely because of a lack of appropriate data management and restriction systems, or staff who have never been trained on data management. Similarly, whereas data loss would have once involved physical files and folders falling into the wrong hands, the growth of cloud, bring your own device, mobile working and public internet mean that errant information can now quickly make its way around the world, and into the wrong hands.
As such, data is no longer purely an asset. Instead it s a huge, and potentially toxic, liability. Breaches can, and do, lead to fines, reputational damage and customer loss. Yet while some seem to understand this, and are taking steps to implement better data security protocols, for most there are just too many barriers blocking the way. Not least insufficient encryption, a lack of data classification, and understrength (or non-existent) data handling rules. To start managing data with the care it requires, firms need to prioritise a robust data protection roadmap, along with any planned digital transformation initiatives. They need infrastructure that supports the latest encryption and intelligent security solutions. Along with educated end users, managed data sovereignty, and IT teams that understand and contribute to core business goals. This article looks at the big data challenges and what needs to be done to meet them. The problem with data Due to the nature of their business, insurance providers deal with their customers most sensitive personal information, including vital statistics, medical records and banking details. Naturally, this requires robust defences to keep hackers at bay, and to prevent innocent mistakes causing data to fall into the wrong hands. However, in common with many other financial services industries, insurers are struggling to keep up with their responsibilities. Such as understanding what data is stored where and who is in charge of its protection. As well as which employees can access data, the systems needed to keep everything secure, and how technological, operational, and innovation plans should incorporate data protection. Particularly with the number of easily accessible cloud storage options now available. While the problem is multi-faceted, its root cause can be found in several core issues. The first of which, arguably, is the everincreasing amount of pressure being placed on businesses from insurance regulators and governments, and their many global variations. Over the past few years, the level of regulatory guidance to insurers has heightened significantly. With new details issued from companies themselves, as well as from individual governments and the EU. In many large international companies, regulations are distributed to regions by a central office. Yet, with no additional advice on how to interpret and act on it, they are encountering a problem of different regions taking different approaches to the same guidance. Adding yet another layer of complexity to an already tricky area of data management. Some firms are taking what appears to be a forward step in appointing a Chief Data Officer, with whom the data regulatory buck theoretically stops. And who should ensure that regulations are interpreted in a standard fashion around the world. However, in actuality, data compliance remains the legal responsibility of the CEO, who often has no sight of it. Encryption is the clear goal for insurers looking to keep on side of their regulatory requirements. Because it ensures that data is safeguarded whether stolen from a hard drive, or lifted from a lost laptop. And when centrally controlled it negates the lost in translation problem multi-national firms suffer from. But encryption will never work for those firms with a startling lack of clarity over who is actually in charge of it in the first place. Or who suffer from the most needless, yet most common, breach cause of all: the innocent mistake. 2017 CloudTalent Ltd. All rights reserved. 2
The unintended enemy within Unless an information owning organisation knows what data they hold, who can access it and where it can be sent, they are wide open to severe loss or breach. Though while the instinct is often to push back against the external hacker, just as often the problem will begin within the company s walls. And it ll be no one s fault. For example, how likely is this situation: a junior employee is asked to send a document to an external partner, does so and discovers afterwards that the information contained on that document is actually extremely sensitive in nature. The insurance firm that employee works for has now suffered a data breach without even knowing it. There s been no break in. No hack. And no criminal intent from anyone involved in the process. But regulations have been contravened and, when the firm and regulators find out about it, there will be consequences. A worryingly large number of insurance firms today face that exact problem. Indeed 50% of all data leakage issues occur because of innocent user errors. Partly this is because data no longer exists within physical silos. So employees can let sensitive or restricted files out of their organisations very easily. Yet the bigger issue is that many lack a real understanding of how to classify, govern and protect data. When that s the case, encryption is futile and insurers are vulnerable to the severe consequences that come with data loss. Penalties and benefits In much the same way as has taken place in the banking industry, the impact of data breaches can range across entire insurance firms. That s in addition to the reputation damage that extends into the public domain. Understandably, financial penalties may be front-of-mind to those in charge of potentially vulnerable, unprotected data. Yet they are really only the start of the story. Because, while fines ranging into the tens of millions should be expected by an insurance firm that suffers a large breach, there are usually softer costs added on, which make the matter far worse. For instance, if a company suffers a breach in which sensitive personal customer data is taken, that firm may be obliged to carry out a check for each potentially affected individual to see if their information has been lost. And although the cost of each check is not huge perhaps as low as 10 when multiplied by thousands of customers, it can quickly grow to become a major concern. Then there is the negative effect it has on a company s reputation. A breach can be so public and so newsworthy that good sentiment will erode quickly, encouraging current customers into the arms of rivals, and deterring future business. Staying clear of trouble The need for insurance firms to better protect their data has never been clearer. As such, some companies are looking at how they can use technologies to bring their data protection protocols in line with where they need to be. Importantly, these innovators are not just looking at one level of data protection such as encryption. They are working with industry experts to take a thorough overview of their systems and tools to ascertain where threats may exist, where data protection and classification needs boosting, and how to balance higher security with the smooth running of the organisation. It s a multi-layered approach. Yet a good first step is to implement philosophies, solutions and a programme of education to eradicate those innocent, yet entirely unnecessary, mistakes that allow data to get out. The starting point for this should be a data classification exercise, which will give insurers an understanding of what they own and its toxicity to them, and their clients, if in the wrong hands. Next should be the creation of a clear and understandable data governance programme, dictating the levels of permissions for each employee role so people cannot access or distribute certain datum and what data should under no circumstances be shared outside the organisation without appropriate data handling in place. 2017 CloudTalent Ltd. All rights reserved. 3
Fortunately for insurers, they can build the technology that does this into a wider transformation programme. Office 365, for example, offers an automated, intelligent and analytical cloud-based solution that sits above the rest of the business s technology and manages how workers access and use data. Importantly, this technology offers two levels of protection, either restriction or warning. So firms can either completely block employees inadvertently accessing sensitive data, or tell them that they are trying to do so, asking at the same time if they d like to continue. With this functionality, insurers can not only stop innocent mistakes, they can encourage staff to learn from the mistakes they might otherwise have made. After improving data classification and sovereignty, the task is to return to encryption. Crucially now, with greater visibility, firms will not only know what needs to be encrypted, but who the owner of the policy will be. At the core of this must be the encryption of data when at rest and in transit, so all eventualities are covered. As well as management of encryption keys, which for most firms will be informed by regulations. However, both encryption and classification will be understrength if they are not part of a total desktop and device transformation strategy. As such, CIOs working in insurance should be asking themselves big questions. Such as, am I implementing policies that only allow properly encrypted USB drives to operate when plugged into owned devices? And, do I have tools in place to stop data access when a user connects to an unsecured network, or attempts to upload sensitive documents to Dropbox? Similarly, CIOs need to take a look at what infrastructure they have and if any legacy technology is going to cause problems by being unable to work according to new regulations. There is a common complaint that tight security can impede business efficiency. So ensuring a fine balance between the two is vital to introducing data security protocols that the whole business will actively get on board with, and take seriously. Above all, security must be part of enterprise IT architecture and not an afterthought. However, that depends on the business taking more ownership of data security, and working closely with IT and the C-suite to define an appropriate security framework. Better security means better business Every insurance firm s path to improved data protection will be different. It will depend on where they are in their digital transformation journey. As well as on how they want to balance risk and security. Then on the management s will to abandon legacy technologies that don t support the best modern security systems, and upgrading to those that will. Key to success is involving expert providers, who will spend time working with a business to understand their precise needs and develop policies that cater to them. Experts who know that the path to robust data security may be long and challenging, but that the rewards are there for those who take it. If you want to know more about data protection for insurance, speak to CloudTalent, a strategic advisory business that has a unique approach for identifying a company s current state and defining its future state. This approach has helped` companies optimise costs, improve services and reduce risks for their business by helping to transform their IT. www.cloudtalent.avanade.com 2017 CloudTalent Ltd. All rights reserved. 4
About CloudTalent CloudTalent, an Avanade company, is a UK-based, strategic advisory business with a highly experienced management team and professionals. Founded as the Network Storage company in 2002, we help clients from many different industries transform their business by transforming their IT. We employ some of the UK s leading experts in IT and business transformation. We have over 500 members in our associate network and are proud of our impartial, practical and expert approach. For more information about CloudTalent and our unique Line of Sight transformation methodology please visit www.cloudtalent.avanade.com CloudTalent Ltd. 60 Queen Victoria Street London EC4N 4TR contact@cloudtalent.co.uk +44 (0) 20 7025 1000 2017 Avanade Inc. All rights reserved.