Earlier this week, Novarica—including Mitch Wein, Jeff Goldberg, Justina Lee, and myself—hosted our Security Special Interest Group in New York City. Security is a topic of great interest, not only for insurance technology officers but also for insurance business officers and board members. Accountability for breaches and security regulation compliance lies at the top, and responsibility for the safekeeping of customer data lies with insurers and their partners. Regulation with various focuses can be compared and differentiated among the major recent announcements from California, Delaware, New York, South Carolina, and the European Union. Mitch facilitated the session, which led to healthy discussions around various aspects of security.
We reviewed and discussed the results of our security industry study, which was recently issued to technology leaders participating in the meeting. We covered security operations, governance practices, technical processes, security budgets, the role of a CISO, and how each company can best prepare for each of the aforementioned regulations. Questions such as, “How does South Carolina’s insurance regulation apply to insurers doing business in South Carolina?” arose. Or does it only matter if they are domiciled there? Should a carrier be concerned about having European Union citizen clients in the US if they don’t conduct business in the EU? Or does new legislation only apply to insurers with operations in the EU? Should the security budget be higher than 10% for smaller companies needing to invest in security infrastructure just as much as larger companies to get started?
Participants at the meeting shared stories and experiences about how they handled discussions with CEOs, how certified they were for the NY State regulatory audits, the burden of proof vs. the burden of executing security compliance, and how solid an insurer’s own D&O policies are to protect CIOs and CISOs, as well as what is excluded or can’t be covered. Third-party service providers and vendor partners seemed to be one of the most challenging tasks for insurers to coverage—though there was debate on whether non-vertical vendors were more onerous to oversee per the regulations than the independent agents.
Additionally, the group discussed multi-factor security technique, also known as “something owned and something known.” This topic arose with respect to NY State requirements and how banks are compared in utilizing similar security sign-on techniques. Mitch brought up a recent discussion he had at a vendor conference where agents and brokers complained that given the number of insurer portals, they have to remember several IDs and passwords. That group believed that their system vendor should accommodate authentication as a central source—having one pin and one password—as a measure of a federated identity management responsibility.
Discussion turned to engaging employees in cybersecurity processes. One technology leader mentioned that with security topics being pervasive among many employees given their own experiences with Facebook, Google, etc., it’s easier to engage them. Another talked about how to keep employees engaged thereafter, which then transitioned to a discussion on phishing campaigns.
Recruiting is an essential need for insurers to adequately staff their teams with the right skills, especially as many insurers are facing gaps in both staff and skills. Some CIOs/CISOs talked about how they partner with local universities that offer degrees in related disciplines. Joining university boards and faculty is a creative way to access graduating seniors and interns, allowing insurers to develop relationships with future employees during their college years. Hiring, managing, and retaining staff—both on-premise and remote staff—was an interesting point of discussion as attendees shared their experiences and opinions on how to be successful in staffing.
Other topics including data breaches and ways to recover, HIPAA and how it impacts carriers, compliance to NIST and SSE-CMM frameworks, and security in the Agile methodology were also covered. But one of the most fascinating points of the day was Mitch covering the future of quantum computing and its impact on insurers 5-10 years from today, which he covered in a previous Executive Brief, Quantum Computing and Insurance: Overview and Potential Players.
Security requirements for insurers due to regulations are growing and evolving. New regulations that insurers need to stay on top of are being developed. Staffing, education, and managing third-party providers are real challenges that CIOs/CISOs have to tackle every day. The topics covered by the Novarica Security Special Interest Group meeting this week proved that there is still much progress to be made in ensuring the security of insurers and their policyholder data.
Add new comment