Insurance

Ensuring data security and confidentiality in the insurance industry

Insurance companies handle sensitive customer information and are a lucrative target for cybercriminals. This includes information on customer identity, biography, finances, health, employment, academic history, and property ownership.

Common cyberattacks happen through phishing, ransomware, human errors, and credential theft. In 2022, an Australian health insurance company suffered a massive data breach when cybercriminals stole the credentials of a user with special privileges. The perpetrators used this to extract the personal information of 9.7 million customers.

This article explains the concept of data protection in insurance, security challenges, and best practices in the insurance industry.

Main data security challenges in the insurance industry

Data security and confidentiality are paramount to the insurance industry. However, the process continues to face the following challenges:

Data security

Insurance businesses face an uphill challenge safeguarding customer data from unauthorised access, cyber-attacks, and breaches due to increasingly sophisticated cyber threats. Businesses must continuously invest in robust systems to ensure encryption, multi-factor authentication (MFA), and intrusion detection.

Compliance with data protection laws

Insurers have a legal obligation to protect their customers from cyber threats and must company with the following laws, whichever is applicable:

1. Health Insurance Portability and Accountability Act (HIPAA): This act establishes rules on how an institution collects, stores, and processes health-related data in the US. Insurance providers must implement adequate data protection to avoid penalties for HIPAA violations.
2. General Data Protection Regulation (GDPR): This regulation protects the personal information of EU residents. All EU businesses, including insurers, must comply with GDPR regardless of where their operations are.
3. Gramm-Leach-Bliley Act (GLBA): This act requires financial services companies, including insurers, to explain their information-sharing practices to the customers for safeguarding sensitive data. Users can also decline consent for their personal information to be stored or shared with third parties.
4. Insurance Consumer Privacy Protection Model Law #674 – The law by the National Association of Insurance Commissioners (NAIC) mandates transparency in data collection and customer consent. This extends to customer information being shared inside or outside the US.

Under this law, the customers hold the right to amend personal information if necessary.

Risk management

Insurance companies depend on third-party systems for claims processing, IT support, and underwriting. Third parties can access sensitive customer data, which can be a threat. To manage this, insurance companies must have stringent vendor management practices and legal safeguards within the contract.

Response to the security breach

Should the security ever be breached, the insurer must have robust incident response plans and protocols. These protocols must help them detect and respond to data breaches and minimise the impact on individuals, thus avoiding legal consequences.

Meeting client expectations

As more consumers become aware of their privacy rights, insurers must extend greater transparency and control of their data. The business must have clear communication and user-friendly policies for customer consent.

Best practices for data security and confidentiality in insurance

The following best practices provide a framework for an insurance business to handle data security and privacy:

Appoint a data protection officer

Have dedicated officers to implement, manage, and control data security and confidentiality in the organisation. This includes solving all the challenges mentioned above, passing security audits, and responding to incidents. The data protection officer must help meet the obligations of HIPAA, GDPR, GLBA, and NAIC Model Law #674.

Conduct regular risk assessments

You must know the types of customer data you handle and their level of sensitivity. Once you identify and categorise the data assets, you can assess the security risk and start addressing the weak points.

Robust data protection measures

Encryption, access control, and monitoring user activity are the critical steps to ensuring protection and privacy.

1. Encryption: Encryption ensures that even in the event of unauthorised access, the perpetrators cannot read or interpret it. It should apply to data that is stored and in transit.
2. Access control: Only authorised personnel must have access to the data. This can be enforced through multi-factor authentication and role-based access.
3. Monitoring user activity: Employee activity monitoring and intrusion detection systems provide real-time insight into data flow. Any usual activity triggers alarms and prevents potential breaches.

Manage privileged users

Employees with special access to IT systems and customer data are prime targets for cybercriminals. You can use a privileged access management (PAM) system to control privileges and manage activity using one-time passwords (OTPs) and time-based access control.

Prepare for incident response

Every compliance requirement mandates an incident response plan that defines steps to take in case of a breach. The GDPR sets a timeframe of 72 hours to notify the supervisory authority after the breach.

How can Infosys BPM help?

Use Infosys BPM to transform the customer journey and ensure data protection and confidentiality in property insurance, package insurance, D&O insurance, general liability, and workers’ compensation.

Read more about the insurance BPO companies and services.