Online Security in the Insurance Sector

Written by

Much of Quocirca’s research looks at the differing attitudes to IT between various business sectors. For example, a 2014 report titled Online domain maturity, showed that retailers and financial services were the most likely to interact online with consumers.

Another 2015 report, Room for improvement, Building confidence in data security, showed that by some measure, financial services were the most confident about data security.

Such comparisons are useful as they show what one sector is achieving and how another sector might benefit by taking similar measures. However, even within a given sector there are extremes; whilst more than half of financial services organizations are very confident about data security, 4% are not that confident. More granular research is needed to tease out where in a sector such differences lie.

Quocirca was recently invited to attend an insurance industry round-table focused on IT security. The event was hosted by Entrust Datacard, a provider of strong authentication tools, digital certificates and online fraud prevention products. If the views of the dozen or so attendees, who represented some of the best known names in the UK insurance industry, are anything to go by, their sub-sector has a lower level of confidence about data security than banks (some organizations have a foot in both camps, so called bancassurance).

Why should this be so? For a start, whereas banks deal directly with their customers' money, for insurance companies, it is largely secondary. In other words, if your bank account is hacked, money may be transferred, but it is harder to exploit an online insurance account. Secondly, it was evident that one of the biggest concerns for insurers is insurance fraud, however carried out, and it was not clear that this was harder or easier to deal with as the industry has moved online.

Whilst more than half of financial services organizations are very confident about data security, 4% are not that confident.

Before the round-table, Quocirca had considered the areas in which insurance companies may be vulnerable. It was agreed that the two obvious ones were the protection of personal and payment card data. Protecting both is of course a regulatory requirement, but also makes good business sense. An insurance company may be targeted for such data, not because it is an insurance company per se, but because its defenses are weaker.

However, during the discussion some interesting insurance specific threats emerged. Stealing lists of policy holders would be useful for planning crimes, for example the targeted thefts of high value cars. The task would be much easier with a current list of owners and their addresses than having to travel the streets to search for targets. Another involved intellectual property (IP); as quoting for insurance has moved online, the industry has become highly competitive. To appear high on the listings of comparisons sites, where many insurance buyers end up, involves quoting via tightly guarded algorithms, and some felt there was a possibility of industrial espionage in this area.

Another area of concern was the insurance supply chain; many policies are sold via agents and brokers. However good a given insurance company’s own data security is, their Achilles’ heel could well turn out to be a smaller partner. It was noted that some well publicized data breaches relied on compromising smaller partners to find a way into a larger organisation’s IT systems. There should be an onus on insurers to advise and certify the security of its supply chain partners.

There are, of course, many benefits of being able to safely transact online. Quocirca research, to be published later this year, shows that confidence in the omni-channel (the mix and match of mobile apps, web sites, telephone, face-to-face etc. for communication with customers) goes hand-hand with higher levels of confidence in data security. All agreed the insurance industry had to further embrace the omni-channel. Another was being able to verify the ownership of insured assets, many of which can now be certified electronically via the internet-of-things (IoT), reducing the possibility of fraud.

Another opportunity for some insurance companies is the provision of insuring their business customers against online risk. Just as in other areas, those who have taken measures to mitigate the risk will get cheaper premiums. As the sector relies more and more on online interaction to keep up with its customers, insurers cannot afford to be seen to fall short of the IT security standards they expect of those they insure.

What’s hot on Infosecurity Magazine?