Tag Archives: KSI

Why Blockchain Matters to Insurers

First, a definition. Distributed ledger/blockchain technology, increasingly abbreviated as “DLT,” transfers value in a decentralized, consensus-based and immutable manner using cryptographic tools and is different from technology today because it offers transactions occurring between unknown counterparties that are mathematically trusted in real time. DLT is at once a network and a database that can host applications like Smart Contracts, with the potential to be interoperable across trade ecosystems. This technology seems tailor-made to help administer the claims end of insurance.

Let’s talk about claims. It is well known that insurance claims are the storefront of an insurance business. Claims processing and resolution provide touchpoints for extended customer engagement, and a bad experience can poison an insurer in a customer’s mind, which can affect policy renewal. The claims experience should be seamless and easy to manage for all.

Imagine if you could smooth out your claims process so that it is more accurate, frictionless and cost-efficient and can even provide easy access to data for benchmarking and analysis to improve your customer’s digital experience.

See also: What Blockchain Means for Insurance  

I had my “aha” moment when I first learned about DLT technology. I was struck with an immediate vision of how things could be made better within the insurance industry. As a prior general counsel of an insurer, and now a consultant specializing in the strategic use of this technology, I understand how it can be implemented (once fully developed) and can envision how it can change and improve business from end to end.

Practically speaking, on the claims side, at the very least, the industry would never again have to suffer “the dog ate my homework” excuse for lost documents, duplicate or other document mishaps and related lawsuits. Claims provenance could be automatically established and adjudicated by so-called “smart contracts” (in the most general sense, they are protocols that have deterministic outcomes) in real time with an easily auditable and immutable trail. Identity proof would be less onerous. Those developments alone go a long way to reducing fraud and risk and their associated costs.

While modernizing claims processes is not a “sexy” thought, it is one that directly affects all insurers and their bottom lines by reducing risk. A small shift in the actuarial calculation based on a risk reduction goes a long way. There is not a business person on earth who does not want to increase revenue.

While there is a lot of hype, I believe we are only seeing the beginning of its potential. Education is needed. Imagination is needed. And innovation and execution are needed. The financial services industry has looked at this technology over the past year and is engaging with it, and some practical applications are expected to go into production in 2017. Insurers/asset managers should take notice. For instance, Delaware will begin using blockchain technology for UCC filings powered by Symbiont. Financial industry regulators, both domestically and internationally, are evaluating this technology and are listening and learning. In part, we owe the financial services sector a debt of gratitude for creating awareness overall.

Generally speaking, insurers have been slow to the table to learn about this technology, but it is imperative that they engage as early as possible because DLT has the potential to be very valuable for them. Some reinsurers already understand this and are experimenting. The diamond industry understands this and is experimenting with digital representation of hard assets on a blockchain for asset management and insurance purposes through Everledger. Other insurers have made some attempts to test similar concepts.

Indeed, the insurance industry can benefit on more than just the claims side.

We all know customer acquisition is the most uncertain and expensive part of the process in any business. Well-designed digital processes can prove invaluable in customer acquisition and retention. On the front end of the insurance industry, smart contracts can aid in creating easy-to-manage customer policies, which can be fed into databases and tailored and segmented in any way that makes business sense. Data management and security can be enhanced using blockchain technology. In fact, the Estonian company Guardtime has embraced the cyber security end of this technology and evolved a keyless signature infrastructure (KSI) that DARPA is verifying.

See also: Blockchain: What Role in Insurance?  

Blockchain/DLT technology is not a panacea for all. But it is worth exploring as the technology evolves. We are at an inflection point in the development of this technology—a point in time where insurers and others can have a say in how it evolves. Once standards emerge and practical applications are in production, it may be too late.

Time to get on board, insurers, and weigh in! All you need do is participate to make sure your interests are heard and accounted for.

To the insurance industry, I ask you: How do you see this technology affecting insurance?

New Way to Audit Digital Assets

In the real world, it would be considered reasonable and appropriate to require an independent audit of digital assets to be insured. In cyberspace, this is more challenging. Insurers have to rely on the insured to tell the truth about what assets have been affected by a breach.

Integrity standards for data enable insurance companies to conduct an independent audit of what digital assets exist (e.g., client data, intellectual property) prior to a breach, thus preventing fraudulent claims.

One aspect of a data integrity standard is keyless signature infrastructure, known as KSI. KSI is a disruptive new technology standard that can effectively address some of the issues insurers face in the rapidly emerging cyber liability domain. It can enable mutual auditability of information systems to allow stakeholders to know the cause of a breach, mitigate the risk of breach escalation in real time and provide indemnification against subrogation and other legal claims.

The concept of a digital signature for electronic data is very straightforward: a cryptographic algorithm is run on the data, generating a “fingerprint of the data”; a tag or keyless signature for the data that can then be used at a later date to make certain assertions, such as signing time, signing entity (identity) and data integrity. KSI offers the first Internet-scale digital signature system for electronic data using only hash-function-based cryptography. The main innovations are:

  1. Adding the distributed delivery infrastructure designed for scale
  2. No longer requiring cryptographic keys for signature verification
  3. Being able to independently verify the properties of any data signed by the technology without trusting the service provider or enterprise that implements the technology

Other features include:

  • Unlike digital certificates, keyless signatures never expire; the historical provenance of the signed data is preserved for the lifetime of the data, and people are not required in the signing process.
  • Use of keyless signatures strengthens legal non-repudiation for data at rest.
  • There are no keys to be compromised or to revoke. This fundamentally changes the security paradigm. It is important to understand that if data integrity relies on secrets like keys or trusted personnel, when these trust anchors are exploited there becomes an unlimited liability for the data protected by those trust anchors. This occurs because there is no way to determine what has happened to the data signed by those private keys or maintained by those trusted personnel. Evidence can be eliminated; data changes can occur without oversight; and log/event files can be altered. The exploiters can provide the picture they want you to see. Keyless signatures remedy this problem.
  •  During a breach, active integrity can be provided with cyber alarms and correlated to other network events by auditors, network operations center and security operations center(s). Active Integrity means real-time, continuous monitoring and verification of data signed with keyless signatures. With active integrity, real-time understanding is achieved as to the coherence and reliability of technical security controls and whether the digital asset has integrity.
  • Underwriting cyber policies becomes much simpler and more efficient because there is transparent evidence certifying the integrity of the data, the technical security controls protecting the information and rules governing the transmission, modification, or state of the insured asset(s).

A “managed security service” resulting from the implementation of KSI marks a new era for insurers. As they seek organizational intelligence of digital assets to make real-time policy adjustments, they are also making concrete conclusions about the insured asset risks, threat, exposure and cyber landscapes affecting clients. Claims processing and disputes become simpler as the technology preserves the forensic traceability and historical provenance of the digital asset, enabling rapid determination of when and how a breach or manipulation occurred and who or what was involved. Hackers and malicious insiders cannot cover their tracks. Moreover, proving negligence is now possible. Negligent acts may be quickly detected and proven in the event the service provider does not comply with the contracts maintained in force with the enterprise.  

Most breaches today go unnoticed until long after they occur and the damage has been done. Active integrity involves continuous verification of the integrity of data in storage using keyless signatures. It is equivalent to having an alarm on your physical property and a motion detector on every asset that cannot be disabled by insiders.

Because of the volatile nature of electronic data, any hacker knows how to delete or manipulate logs to cover his tracks and attribute his activity to an innocent party, which is why attribution of crimes on the internet is so difficult. Integrity is the gaping security hole. A loss of integrity is what leads to data breaches, introduced by malware, viruses or malicious insiders.

Public key infrastructure (PKI) will never be the solution to integrity or usable for large-scale authentication of data at rest. The forensic evidence of keyless signatures makes legal indemnification issues easy to resolve, highlighting who, what, where and when a digital asset was touched, modified, created or transmitted. This places the onus on the “use” of data and not collection, providing auditability across service providers and the internet. Privacy is maintained, but there is also transparency and accountability for how data is used. Every action can be traced back to the original source that is legally responsible. This simplifies service-level agreements, pinpoints liability in the event of accidental or malicious compromise, and indemnifies independent data providers from legal claims.

This article is an excerpt from an EY report titled “Cyber Insurance, Security and Data Integrity; Part 1: Insights into cyber security and risk — 2014.” For the full report, click here