“A comprehensive approach to security takes a village.”
If a single statement could sum up what organizations need in today’s complex data privacy and security environment, the quote above would be it. It came from Novarica VP Eric Weisburg during last week’s Novarica Insurer Client Virtual Town Hall. Compliance officers, technologists, department leads, a slew of third-party service providers (TPSPs), and every individual employee are all intimately involved—especially now.
Security was an important topic even before the pandemic. Novarica SVP Mitch Wein noted that insurer security spending (as a percentage of IT spending) rose from 10% in 2018 to 12% now. Half of the time that boards spend on IT discussions is to talk about security.
Security in a work-from-home world
The pandemic has augmented the need for security. Security used to center on securing the building. That sort of centralized control is not possible when most employees work from home. Do we replace it with more extensive encryption? Locked drawers in employees’ home offices? The recent hurricane that swept my home state of North Carolina raised another question: If people have to evacuate their homes, do severe exposures arise that we haven’t adequately considered?
There is an element of training and education to security. But Mitch pointed out that, though we see insurers revising training protocols and educating their staff on security risks, their application has been uneven. He believes that carriers in states that saw minor COVID outbreaks at the beginning of the pandemic did not expect to be working from home as long as they have.
Social engineering attacks have become more prevalent as employees working from home were, at least initially, less vigilant about when working from home, even on personal laptops. Mitch also noted that the use of personal laptops also raises another question: “If I need to do a forensic investigation, am I even allowed to take your personal computer? I don’t know.” Eric’s ‘village’ has gotten bigger.
Account takeover and authentication
Account takeover (ATO) has been an increasing concern in the annuities space in recent years. Beefing up authentication is difficult in a market where some customers may not even know how to log into a computer. Alternative routes to validation include accessing other types of documentation, like living wills, or using third-party data as an authentication point.
Third-party service providers, security, and contracting
Carriers previously made it easy for agents to access information for ease-of-doing-business reasons. It may be time for a rethink. Agents fall into the third-party service provider (TPSP) category and now face audit requirements. These requirements may encourage some agents into early retirement, but those that remain are likely to benefit from the process. No one wants to open themselves up to a lawsuit if a security hole is discovered—nor would they want to open a backdoor into their insurer partners.
Eric Weisburg cautioned that many TPSPs fly under the radar. Anyone who interacts with claims adjusters and shares information with them counts as one, as do legal counsels and other providers that insurers may not think of initially. Eric related how he’d recently spoken to an insurer with a limited inventory of the TPSPs they use and no contract provisions in place for how to handle data. Insurers will need to take inventory of TPSP contracts and make appropriate updates to ensure compliance with security and data privacy regulations.
The threat of quantum
Finally, Mitch warned about the future effects of quantum computing on security. There are a few steps insurers should be taking right now, even though quantum is still a few years away. The first is to become “quantum aware,” i.e., take inventory of encryption algorithms and note quantum-safe ones that they may need to implement. The next step is to survey infrastructure that you can wrap around existing encryption to make it quantum secure.
This week, our Virtual Town Hall will focus on customer journey mapping. If you haven’t already, register here.
Add new comment