Tag Archives: data security

Data Security to Be Found in the Cloud

As the insurance industry continues down the path toward digital transformation, it is being inundated with data being generated by many different connected devices and systems. Enterprise data is growing so rapidly that analysts at IDC predict the worldwide volume of data will increase ten-fold to 163 zettabytes by 2025. 

With the rise in volume and accessibility of data, comes an increased risk of data breaches. In the first half of 2019 alone, nearly 4,000 data breaches occurred, resulting in more than 4 billion records being compromised. On top of these challenges, insurers are also subject to an ever-changing list of complex regulatory requirements and industry standards meant to strengthen data security and consumer privacy. From the EU’s General Data Protection Regulation (GDPR) to the Payment Card Industry Data Security Standard (PCI DSS), the New York Department of Financial Services’ (NYDFS) Cybersecurity Regulation to the Insurance Data Security Model Law, insurers face a complex regulatory landscape. 

Strategically moving some core business functions to the cloud can provide insurers with many benefits that can address these challenges head-on, including increased data security, business flexibility and scalability, better ease of compliance and reduced infrastructure and capital expenditure costs.

The insurance industry has been hesitant about cloud adoption, due in part to the widespread use of legacy technologies, a desire for single-handed control of data and the nature of being a highly regulated industry. Yet, when done right, moving key systems and IT functions to the cloud can benefit insurance firms in spades. Innovations in the cloud can make it easier for organizations to not only comply with industry standards but also better safeguard customer data, all while providing a great customer experience.

How the Cloud Can Help

According to Gartner, expenditures toward cloud-based enterprise IT offerings are increasing at almost triple the rate of spending on more traditional, non-cloud solutions. The firm also found that more than $1.3 trillion in IT spending will be affected, directly or indirectly, by the shift to the cloud by 2022. This trend underscores the many benefits that organizations are reaping from the shift to the cloud.

To realize these benefits, insurance organizations must start joining the pack and look to migrate key parts of their business and IT infrastructure to the cloud. For example, providers can strengthen data security and ease compliance with PCI DSS by moving their payments systems to the cloud. Because insurers process and store tremendous amounts of sensitive consumer data and personally identifiable information (PII) – like Social Security numbers, bank account numbers, dates of birth and payment card numbers – insurers are prime targets for hackers. Traditionally, when a customer calls an insurer to make a payment, the customer speaks with a service representative and reads payment card details aloud over the phone. Likewise, if the customer uses the website to make a payment, sensitive payment card information is collected via a web form or e-commerce platform integrated into the insurance company’s computer network. In both scenarios, as soon as the sensitive data enters the organization’s network infrastructure, the insurer is responsible – both from a compliance perspective and in terms of customer expectations – for protecting that data. By making the shift to a secure, cloud-based payments processing solution, organizations can keep sensitive payment card data out of their infrastructure completely, thus reducing the risk of a data breach and minimizing the scope of compliance for numerous regulations. 

See also: The Cloud Concept That Many Miss  

How Cloud-Hosted Payments Solutions Can Strengthen Data Security

Let’s say a customer chooses to call an insurer to make a payment. Cloud-based, dual-tone multi-frequency (DTMF) masking solutions, for example, allow callers to give their payment card data securely over the phone. The customer simply enters the card number directly into the telephone keypad. The DTMF tones of the telephone keypad are replaced with flat tones, making them indecipherable to an agent on the line or to a nefarious eavesdropper. Alternatively, the agent could send an SMS text message with a secure payment hyperlink to the caller’s mobile phone. The caller simply clicks on the hyperlink and enters payment information. In either scenario, the agent is able to stay on the line in full voice communication with the customer for the duration of the transaction, helping to troubleshoot, if necessary, and providing a frictionless and secure customer experience. Because a cloud-based payments solution sits between the telephony carrier and the contact center’s network, the payment card data is encrypted and securely routed directly to the payment service provider (PSP) for processing – keeping the sensitive data out of the organization’s network infrastructure completely.

Likewise, if a customer uses the insurer’s website to make a payment, cloud-based digital payments solutions can make the transaction more secure and provide a better customer experience, all while streamlining regulatory compliance. Say a customer is interacting with a customer service representative via web chat. When the customer wants to make a payment, the agent can send a secure payment hyperlink to the customer right in the chat window. The customer clicks on the link and is presented with a secure web form, where the customer can enter payment card information. Again, the sensitive payment data is routed directly to the PSP and never enters the insurer’s network.

In all the scenarios described above, both the insurance provider and the payment channel (telephone, SMS, the webchat solution, etc.) are kept out of the scope of compliance for GDPR, PCI DSS and other regulations. At the same time, these cloud-based digital payments technologies can relay real-time progress updates that inform the agent when the link has been opened, when payment information has been collected and whether the payment was approved by the PSP, providing the business with powerful insights into the status and success of collected payments.

By handling payments in the cloud, insurance providers can dramatically reduce the amount and types of sensitive data they process or store – making themselves less of a target for hackers and reducing the scope of compliance for numerous industry standards and regulations. Moreover, by moving their payments to the cloud, organizations can reduce costs by eliminating the capital expenditure related to hardware, and enable greater productivity across their IT teams by offloading the task of maintenance and updates to third-party service providers.

Additional Benefits of Moving to the Cloud

Cloud-based technologies offer unmatched flexibility, scalability and nimbleness compared with traditional, on-premises IT solutions. Here are just a few benefits of adopting a cloud-based solutions:

  • Greater Resiliency and Reliability – because many cloud solutions are able to accommodate thousands of customers at once, these platforms offer a greater level of reliability at a lower cost than insurers could typically afford independently.
  • Geo-redundancy – cloud-based payments solution providers have geo-redundant data centers, resulting in an additional level of backup in the rare case that the main payments system fails – a necessity for companies to consistently and reliably ensure customer satisfaction.
  • Scalabilitycloud solutions enable organizations to quickly and easily scale up on-demand, without requiring additional investment in on-premises hardware.
  • Cost Control – tightly tied to flexible scaling options, cloud payments solutions often result in better cost control and allow organizations to take advantage of economies of scale, compared with investing in on-premises infrastructure. This ability to save on up-front hardware costs is especially important for fast-growing businesses.
  • Less Equipment – depending on the deployment option, firms can migrate their payments systems to the cloud and have little to no equipment to maintain, allowing their IT and infrastructure teams to focus on more strategic projects.
  • Quick and Easy Implementation – cloud implementations are typically faster and less complex to get up and running than on-premises deployment models. 
  • Easier Software Updates and Bug Fixes – because cloud payments solutions are most often managed by service providers, insurance companies can relieve themselves of the burden of having to manually update software and patch bugs.

Security Comes First – Cloud or No Cloud

While the insurance industry has traditionally been hesitant to migrate important functions such as IT or payments systems to the cloud due to security concerns, it is important to remember that the challenge is not in the security of the cloud itself. In most cases, data breaches are the result of a user – not the cloud provider – that has failed to follow or enforce appropriate security policies and controls. As long as the organization enacts proper security policies and trains its employees on the importance of following them, it should have no worries about cloud solutions adding security risks.

That said, security should always be a top priority for companies, whether they are using on-premises or cloud-based solutions. It’s important to carefully select a provider that adheres to the highest security and compliance standards. When choosing among cloud-based payments solution providers, make sure they have achieved industry-accepted certifications like ISO 27001, PA DSS and PCI DSS Level 1 certification. (Here is a helpful guide that explains the different PCI compliance levels).

See also: Why the Cloud Makes It All Happen  

As insurance organizations struggle to keep pace with an increasingly dynamic business landscape, a deluge of sensitive customer data and ever-more-complex regulatory requirements, they will find that migrating their critical systems and functions to the cloud will provide the nimbleness and flexibility they need to remain competitive. Cloud payments solutions can help optimize costs and provide scalability, while enabling stronger security, easier compliance and a superior customer experience.

What GDPR Means for Insurtech

After Solvency II, the European Union is ready for its next big and comprehensive regulation, called GDPR (General Data Protection Regulation). GDPR was approved by the EU Parliament in April 2016 and after a two-year grace period took effect in May 2018! The new regulation will replace the current Data Protection Directive 95/46/EC.

Regulatory Landscape and Breaches

The first key point of the new regulation is protecting all E.U. citizens’ data privacy with an extended regulatory landscape. New data privacy rules should be applied to all personal data of data subjects residing in the European Union, regardless of companies’ locations.

With GPPR, fines for possible breaches were increased sharply, up to 4% of annual global revenue or 20 million euro (whichever is greater). Another radical change is that regulations apply to not just controllers, but also processors. So, cloud processors are also covered. Under GDPR, the data owner must give consent through a document that is understandable, simple and easily accessible. Withdrawal of consent for data usage must also be easy.

With GDPR, breach notification will become mandatory and should be performed within 72 hours after the breach is spotted. Notifications must be to all affected data owners.

The Key Point for Insurtech

These changes are key for insurtech. Data security and privacy had seemed to be key concerns that would hold back insurtech, because of the dangers created by the increased use of connected IoT devices, real-time data collection and high profile cyberattacks. But customers will be much more comfortable with insurtech because GDPR will alleviate concerns about data privacy, without regard to a company’s scale. With GDPR, drivers of insurtech like IoT, machine learning and much more won’t be considered as possible tools for data breaches. GDPR will be a spontaneous trigger of insurtech!

How Safe Is Your Data?

Overview

Your data might not be as safe as you think it is — and it could cost you dearly.

Part of the threat comes, unwittingly, from your employees — and, possibly, even yourself. A significant proportion of cyber breaches (as many as 30%)­ are caused by “negligence or mistakes,” caused by individuals failing to act responsibly or follow procedure.

Two decades after the launch of the web, digital has become so ingrained in our lives that it’s easy to assume you know the best security practices to keep you and your organization safe from a data breach. But as technology continues to drive changes in the way we live and work and as the Internet of Things becomes more omnipresent, the digital risks we all face are only going to increase as more and more devices share data around the world.

Read on for some simple steps you can take to help keep your data more secure.

In-Depth

A growing threat, but an inadequate response

The number and potential severity of cyber breaches is increasing. A recent PwC survey found that nearly 90% of large organizations suffered a cyber security breach in 2015, up from 81% in 2014; the average cost of these breaches more than doubled year-on-year. With more connected devices than ever before — and the total expected to reach 50 billion by 2020 — there are more potential targets for attackers, as well as more potential for accidental breaches.

What’s more, as of late 2015, companies are, for the first time, listing their information assets as nearly as valuable as their physical assets, according to the2015 Ponemon Global Cyber Impact Report survey, sponsored by Aon.

So how do you keep your organization’s data — and that of your clients and customers — safe?

According to Aon cyber insurance expert Stephanie Snyder Tomlinson, it’s not just a matter of investing in better technology and more robust systems.

“A lot of companies find that the weakest link is their employees,” Snyder Tomlinson says. “You need to train employees to make sure that if they get a phishing email, they’re not going to click on the link; that they don’t have a Post-it note right next to their monitor with all of their passwords on it. It’s the human error factor that companies really need to take a good hard look at.”

From intern to CEO: Simple steps everyone can take

It’s easy for individuals to become complacent about data security, says Brad Bryant, Aon’s global chief privacy officer. But with cyber threats increasing, it’s more important than ever to be aware of the seemingly innocent individual actions that can potentially lead to serious cost and reputational consequences for your organization.

According to Bryant, there are four key things everyone can do to help protect themselves and their organizations from the rising cyber threat:

  • Be alert to impersonators— Hackers are becoming increasingly sophisticated at tricking people into giving away sensitive information, from phishing to social engineering fraud. You need to be more vigilant than ever when transmitting information. Are you certain they are who they say they are?
  • Don’t overshare— If you give out details about your personal life, hackers may be able to use the data to build a profile to access your or your company’s information. From birthdays to addresses, small details build up.
  • Safely dispose of personal information— A surprising amount of information can be retained by devices even after wiping hard drives or performing factory resets. To be certain your information is destroyed, you may need to seek expert advice or device-specific instructions.
  • Encrypt your data— Keeping your software up-to-date and password protecting your devices may not be enough to stop hackers should those devices fall into the wrong hands. The more security the better, and, with the growing threat, encryption should be regarded as essential.

Key approaches for organizations to better protect data

To protect your and your customers’ and clients’ information, investing in better cyber security is only one element. But data breaches don’t just happen through hacks, or even employee errors. At least 35% of cyber breaches happen because of system or business process failures, so it’s vital to get the basics right.

Prevention is key, says Tom Fitzgerald, CEO of Aon Risk Solutions’ U.S. retail operations. There are four key strategies he recommends all organizations should pursue to limit the risk and make sure they’re getting the basics right:

  • Build awareness— Educate employees on what social engineering fraud is, especially in your financial department. Remind employees to be careful about what they post on social media and to be discreet at all times with respect to business-related information.
  • Be cautious— Always verify the authenticity of requests for changes in money-related instructions and double-check with the client or customer. Do not click on random hyperlinks without confirming their origin or destination.
  • Be organized— Develop a list of pre-approved vendors, and ensure employees are aware. Review and customize crime insurance. When it comes to coverage or denial, the devil is in the details.
  • Develop a system— Institute a password procedure to verify the authenticity of any wire transfer requests and always verify the validity of an incoming email/phone call from a purported senior officer. Consider sending sample phishing emails to employees to test their awareness and measure improvements over time.

Much of this advice is not new — but the scale of the threat is increasing, making following it more important than ever.

“Social engineering fraud is one of the greatest security threats companies can encounter today,” Fitzgerald warns. “This is when hackers trick an employee into breaking an organization’s normal digital and physical security procedures to access money or sensitive information. It can take many forms, from phishing for passwords with deceptive emails or websites to impersonating an IT engineer, to baiting with a USB drive.”

How governments are driving data protection

The potential consequences of inadequate data security are becoming more serious as courts and regulators are focusing on this issue globally.

The EU is considering a data protection directive to replace previous regulations implemented in 1995. The expected result will be a measure that focuses on protection of customer data. Similarly, an October 2015 ruling by the European Court of Justice highlighted the transfer of customer data between the E.U. and the U.S.

“Regardless of where a company is located, the provision of services to E.U. customers and the collection or mere receipt of personal data from European citizens may potentially subject companies to E.U. jurisdiction,” Bryant warns. “Failure to comply could present unprecedented risk for companies, including fines of up to 4% of a company’s total global income.”

It’s not just changing E.U. rules that could affect your business. Internet jurisdictions and organizational operations are increasingly becoming cross-border. This global patchwork of internet rules and regulations is why only 24% of cyber and enterprise risk professionals are fully aware of the possible consequences of a data breach or security exploit in countries outside their home base of operations.

Why getting the basics right is critical

As the Internet of Things continues to grow, the number and range of potential targets for cyber attack is only going to increase. While eliminating all cyber risk may be impossible, getting the basics right is becoming more important than ever.

“Given the large scope and impact of the various changes in data protection law, coupled with the drastic increase in fines, becoming educated on how to protect our data is more business-critical now than ever before,” Bryant says.

Talking Points

“The average cost per user of a data breach is now $240… The costs are costly, but the current model of privacy will not make sense going forward.… The Snowden revelations advanced hope that there would be this really excited response that would get government to impose really strict regulations. There was some posturing made, and it seemed like we were heading in that direction, but I don’t think we are going there.” – Lawrence Lessig, Roy L. Furman Professor of Law, Harvard Law School

“A step change in sanctions will make privacy a board-level issue. Some businesses will need to start taking these issues a lot more seriously.” – Tanguy Van Overstraeten, Linklaters

“The digital future of Europe can only be built on trust. With solid common standards for data protection, people can be sure they are in control of their personal information.” – Andrus Ansip, Vice President for the E.U. Digital Single Market

Further Reading

How Safe Is Your Data — Really?

The number and the potential severity of cyber breaches is increasing. A recent PwC survey found that nearly 90% of large organizations suffered a cyber security breach in 2015, up from 81% in 2014. And the average cost of these breaches more than doubled year-on-year. With more connected devices than ever before—and a total expected to reach 50 billion by 2020 —there are more potential targets for attackers, and there is more potential for accidental breaches.

What’s more, as of late 2015, companies are, for the first time, listing their information assets as nearly as valuable as their physical assets, according to the 2015 Ponemon Global Cyber Impact Report survey, sponsored by Aon.

So, how do you keep your organization’s data—and that of your clients and customers—safe?

It’s not just a matter of investing in better technology and more robust systems, according to Aon cyber insurance expert Stephanie Snyder Tomlinson, who says, “A lot of companies find that the weakest link is their employees. You need to train employees to make sure that if they get a phishing email, they’re not going to click on the link; that they don’t have a Post-It note right next to their monitor with all of their passwords on it. It’s the human error factor that companies really need to take a good hard look at.”

From intern to CEO: Simple steps everyone can take

It’s easy for individuals to become complacent about data security, says Aon’s global chief privacy officer, Brad Bryant. But, with cyber threats increasing, it’s more important than ever to be aware of seemingly innocent individual actions that can potentially lead to serious cost and reputational consequences for your organization.

According to Bryant, there are four key things that everyone can do to help protect themselves and their organizations from the rising cyber threat:

  • Be alert to impersonators. Hackers are becoming increasingly sophisticated at tricking people into giving away sensitive information, from phishing to social engineering fraud. You need to be more vigilant than ever when transmitting information. Are you certain they are who they say they are?
  • Don’t overshare. If you give out details about your personal life, hackers may be able to use them to build a profile to access your or your company’s information. From birthdays to addresses, small details build up.
  • Safely dispose of personal information. A surprising amount of information can be retained by devices, even after wiping hard drives or performing factory resets. To be certain that your information is destroyed, you may need to seek expert advice or device-specific instructions.
  • Encrypt your data. Keeping your software up to date and password-protecting your devices may not be enough to stop hackers, should your devices fall into the wrong hands. The more security, the better, and, with the growing threat, encryption should be regarded as essential.

Key approaches for organizations to better protect data

To protect your, your customers’ and your and clients’ information, investing in better cyber security is one element. But data breaches don’t just happen through hacks, or even employee errors. At least 35% of cyber breaches happen because of system or business process failures, so it’s vital to get the basics right.

Prevention is key, says Tom Fitzgerald, CEO of Aon Risk Solutions’ U.S. retail operations. There are four key strategies he recommends all organizations pursue to limit the risk and make sure they’re getting the basics right:

  • Build awareness. Educate employees on what social engineering fraud is, especially those in your financial department. Remind employees to be careful about what they post on social media and to be discreet at all times with respect to business-related information.
  • Be cautious. Always verify the authenticity of requests for changes in money-related instructions, and double-check with the client or customer. Do not click on random hyperlinks without confirming their origin and destination.
  • Be organized. Develop a list of pre-approved vendors and ensure employees are aware. Review and customize crime insurance—when it comes to coverage or denial, the devil is in the details.
  • Develop a system. Institute a password procedure to verify the authenticity of any wire transfer requests, and always verify the validity of an incoming email or phone call from a purported senior officer. Consider sending sample phishing emails to employees to test their awareness and measure improvements over time.

Much of this advice is not new, but the scale of the threat is increasing, making following this advice more important than ever. Fitzgerald warns, “Social engineering fraud is one of the greatest security threats companies can encounter today. … This is when hackers trick an employee into breaking an organization’s normal digital and physical security procedures to access money or sensitive information. It can take many forms, from phishing for passwords with deceptive emails or websites, to impersonating an IT engineer, to baiting with a USB drive.”

How governments are driving data protection

The potential consequences of inadequate data security are becoming more serious, and courts and regulators are focusing on this issue globally.

The European Union is considering a Data Protection Directive to replace previous regulations implemented in 1995. The expected result will be a measure that focuses on the protection of customers data. Similarly, an October 2015 ruling by the European Court of Justice highlighted the transfer of customer data between the E.U. and U.S.

Bryant warns: “Regardless of where a company is located, the provision of services to E.U. customers and the collection or mere receipt of personal data from European citizens may potentially subject companies to E.U. jurisdiction. … Failure to comply could present unprecedented risk for companies, including fines of up to 4% of a company’s total global income.”

Changing E.U. rules aren’t the only thing that could affect your business. Internet jurisdictions and organizational operations are increasingly becoming cross-border. This global patchwork of Internet rules and regulations is why only 24% of cyber and enterprise risk professionals are fully aware of the possible consequences of a data breach or security exploit in countries outside their home base of operations.

Why getting the basics right is critical

As the Internet of Things continues to grow, the number and range of potential targets for cyber attack is only going to increase. While eliminating all cyber risk may be impossible, getting the basics right is becoming more important than ever.

Bryant says, “Given the large scope and impact of the various changes in data protection law—coupled with the drastic increase in fines—becoming educated on how to protect our data is more business-critical now than ever before.”

Data Security Critical as IoT Multiplies

When this century commenced, delivering new technology as quickly as possible, with scant concerns about quality, became standard practice. Consumers snookered into buying version 1.0 of anything were essentially quality-control testers.

How soon we forget. As we enter the age of the Internet of Things, companies are pushing out computing devices optimized to connect to the Web with little thought to security implications.

Free IDT911 white paper: Breach, Privacy, And Cyber Coverages: Fact And Fiction

ESET security researcher Cameron Camp has been paying close attention to data security. He recently sat down with ThirdCertainty to share his observations (answers edited for clarity and length):

3C: New devices with the capacity to link to the Internet seem to hit the market every day, and eager early adopters snatch them up. Why should they slow down?

Camp: Companies are going to live and die on whether they get to market fast. I think security tends to be an afterthought, and I’m concerned that some of the manufacturers don’t really have a solid way forward right now.

3C: That sounds ominous. What can and should we be doing?

Camp: We have to think about security in new ways. We have to secure the person, the experience and the data in rest and in motion at all times, and that’s not going to be done with a PC attitude toward security.

We don’t understand how to protect that data at all times and on a multitude of platforms. If you’re working on machines at home, and a lot of them are connected, and you have a breach on one, you have a breach on lots of them. All hackers need is a toehold into your system.

3C: What if someone doesn’t buy every new gizmo that comes along? Are they safe?

Camp: Hackers are finding interesting and novel ways to break into all kinds of things. Routers are one of the first things that really need security to be dealt with, because everyone has one. If your router is one to three years old, it is a gateway to get into everything you own.

3C: Why don’t routers get patched like PCs?

Camp: The manufacturer will be notified that these things are wide open to attacks, and they don’t seem to want to do anything; they’re more interested in the next product cycle. People replace a router when it dies after five years. In the meantime, if four of those years they’re vulnerable, we have a big problem.

Manufacturers have to keep the revenue up; they don’t do that by supporting their routers forever, especially low-cost routers. In the Internet of Things, if you have many sensors around the house, and you raise the cost of those sensors by $1, it makes your system cost too much. Nobody’s going to buy it, and you’re going to be out of business.

3C: Everyone is worried about their routers now; anything else consumers need to be concerned about?

Camp: The people who are good at breaking into Internet of Things devices may not be good at exploiting them, but they are good at entry, and they’re going to sell that to the highest bidder.

Many of these devices run a full Linux operating system; that means they are a server. You can load things on them and exfiltrate data, because Linux was always built to be networked; it was built to be in a server environment.

3C: Is there some good news on the horizon?

Camp: I think there’s going to be a standardization around operating system ecosystems. We’re going to see default operating systems used on the Internet of Things so a manufacturer can focus on their own sensor, their own technology, and just drop in a secure operating system. Right now, there’s many different permutations. In five years, we’re not going to see that, we’re going to see just a few that everyone uses, so if there’s a security issue, people will understand more how to patch them.