Insurance companies have huge volumes of sensitive data and information at their disposal. The information is comprehensive, ranging from payment-transaction data to very personal and sensitive health data of their customers. This makes the industry both attractive and extremely vulnerable to hacks. The risk of a theft of highly sensitive customer data – e.g. for blackmailing purposes – poses a particularly massive risk for insurance companies and their IT. The number of hack attempts has been increasing exponentially, not only since the Ukraine crisis. As a result, regulators are also tightening the rules, e.g. via the “Insurance Supervisory Requirements for IT (VAIT)”; most recently with the amendment on 3 March this year by BaFin.
In my opinion, the field of cyber security and the corresponding regulations constitute one of the most important challenges for an insurance company. It has long since left the purely operational level and has now become more strategic in various ways. Reason enough to take a closer look at the topic today.
A list of every recent cyber attack and all possible threats would certainly be beyond the scope of this article. Though I would still like to cite one or two examples to illustrate the point:
The consequences can generally be divided (according to size) into the following categories: business interruption and restart costs, loss of business data, blackmail, fines, and ultimately reputational damage. Current estimates run into the billions. This is ultimately a reason why it is no longer enough to just repair any operational breaches and get back to “business as usual”; on the contrary, the issue must be given strategic priority.
Since the adoption of the VAIT in 2018, many insurers have already started to address operational deficits in IT security. The solutions range from infrastructural measures, such as patch management, to systematising identity and access controls as well as authorisation management. The latest amendment to the VAIT on 3 March 2022 focussed on the issues of outsourcing to IT service providers, operational information security and IT emergency management in particular.
These measures create the basis for risk-based, targeted and effective information security, which often also meets the requirements of external standards such as ISO 27001. However, continuously supporting active services and controls to manage risks, external and internal threats and incidents, requires IT security to be addressed more sustainably – along several lines of defence.
Regulatory requirements, especially data protection and data security, require a more strategic approach. This starts with an information security strategy and continues through the corresponding governance, to processes, structures and systems.
As an example, the topic of IT security must be enshrined in the IT development process at an early stage. Involving security experts from the beginning can prevent unnecessary effort and costs before the measures are launched. On the other hand, it also means that lots of expertise and resources will be required for every project. So IT issues will clearly be consuming larger shares of the transformation and operational budgets, which IT management has to take care of.
On the one hand, having a strategic focus allows companies to counter increasing digital vulnerabilities – as a result of the constant stream of new applications and infrastructures – and the increasing numbers (and professionalism) of potential hackers. And on the other hand, it can make a significant contribution to fulfilling and complying with the requirements of the amended version of the VAIT.