February 21, 2017
IT Security: A Major Threat for Insurers
by Mitch Wein
IT security is still a low priority for CIOs and mid-level managers. Less than 10% of an insurer’s IT budget is typically focused on security.
As the insurance industry changes in response to continued digitalization, IT leaders must continue to maintain and improve their ability to protect confidential data and customer information. While technological advances can streamline processes, they can also open the door for potential risks. Modern digital systems and procedures must be completely secure for agents and insureds to trust them, and to protect the companies from liability.
In a recent Novarica study, we found that insurers are enhancing security capabilities across the board. Nearly half of those we spoke to are enhancing capabilities in intrusion detection, application security and data encryption. Fewer insurers are enhancing their intrusion detection capabilities in 2017 than in 2016, but they remain among the most basic elements of IT security, and a critical component in ensuring a rapid response to any breaches. Most insurers have also already put in place application security measures to prevent security gaps, though this is an area that needs continual investment to stay current against evolving threats. And larger insurers are more likely than mid-sized insurers to be planning enhancements for data encryption capabilities. However, some midsize insurers are planning to pilot and launch encryption capabilities, in part due to encryption requirements within the New York State cybersecurity law and NAIC cybersecurity draft.
See also: 10 Cyber Security Predictions for 2017
Carriers still plan to enhance audits and procedures, but the volume focus has dropped somewhat in this area due to high investment in 2016, when many insurers adopted NIST for the first time. IT security is as much a matter of practices and monitoring as it is of technology. In fact, from a CIO resource perspective, audits and procedures are often more expensive than technology. Processes need to be created to evaluate all aspects of security management and determine the process maturity. These processes need to be independently validated through a combination of sampling, gathering statistics from tools and holding discussions with people responsible for those procedures.
We also see some activity when it comes to security frameworks and regulations. Insurers are preparing for new regulations, with some taking a “wait and see” approach to recently loosened New York State cybersecurity regulations. However, the New York State regulations or the NAIC cybersecurity model law will be replicated across all of the states over the next two to three years. Carriers need to monitor the developments in this area and ensure compliance to minimize fines and reputational damage.
In terms of frameworks, we see a slight increase in the adoption rate for NIST, from 60% to 70%, and a lower rate of 60% for SSE-CMM. NIST is a framework that uses business drivers to guide cybersecurity activities, and supplements activities related to SSE-CMM, as it covers all aspects of an organization’s processes. SSE-CMM assesses an organization’s maturity with regard to secure software development. Many insurers seem to prefer NIST over the SSE-CMM framework, and very few insurers are relying on other formal frameworks like COBIT, ITIL and the NYS regulation framework.
While more insurers choose to adopt NIST over other frameworks, adoption of formal frameworks is growing across the board. To ensure data protection across the enterprise, insurers can rely on frameworks to assess security risks. The organization must ensure that the software it builds or that is built on its behalf is secure and does not open up a security exposure. One good way to determine if the process of software development creates secure applications is to look at the security maturity of that process. The SSE-CMM is the way to assess this, but it does not go far enough. A full risk management framework needs to be applied to the firm to augment its other operational risk assessments. The NIST framework, developed in 2014, is becoming the standard for all insurers to assess digital and operational security risks in a structured way and to develop a road map to improve their cyber-security practices.
See also: Paradigm Shift on Cyber Security
Most large insurers have a mature IT security function, with a dedicated organization led by a chief information security officer. But for smaller companies, dedicating resources and building competency in this area can be challenging. What is more, IT security is still seen as a lower priority for CIOs and mid-level managers. Less than 10% of an insurer’s IT budget is typically focused on security. In some cases, especially in mid-sized and small carriers, basic capabilities like penetration testing, ethical hacking programs and mandatory security training are lacking. Additionally, many carriers do not have a dedicated security executive like a CISO. Insurers must ensure that they understand their challenges and options, prioritize their investments and plan their responses to security incidents.