//next Best Things

Data security: From mandatory fulfilment to strategic action

Insurance companies have huge volumes of sensitive data and information at their disposal. The information is comprehensive, ranging from payment-transaction data to very personal and sensitive health data of their customers. This makes the industry both attractive and extremely vulnerable to hacks. The risk of a theft of highly sensitive customer data – e.g. for blackmailing purposes – poses a particularly massive risk for insurance companies and their IT. The number of hack attempts has been increasing exponentially, not only since the Ukraine crisis. As a result, regulators are also tightening the rules, e.g. via the “Insurance Supervisory Requirements for IT (VAIT)”; most recently with the amendment on 3 March this year by BaFin. 

Business, technology, internet and networking concept. Young businesswoman working on his laptop in the office, select the icon security on the virtual display.
; Shutterstock ID 1097989835; Projektnummer (Pxxxx): P3311; Kunde/Lizenznehmer: ERGO Group AG; Job/Projekt: Recruiting Roll up IT Specialist; Ansprechperson Roba: Catja Vetter

In my opinion, the field of cyber security and the corresponding regulations constitute one of the most important challenges for an insurance company. It has long since left the purely operational level and has now become more strategic in various ways. Reason enough to take a closer look at the topic today.

Cyber attacks undermine confidence and are very costly

A list of every recent cyber attack and all possible threats would certainly be beyond the scope of this article. Though I would still like to cite one or two examples to illustrate the point: 

  1. The Federal Office for Information Security (BSI) has classified Russia’s invasion of Ukraine – and its threats against the EU, NATO and Germany – as a considerable risk. And not just in the military sense, but also in cyberspace. In this regard, the BSI also recommended not using anti-virus software from the Russian manufacturer Kaspersky, and preferably using an alternative product instead. 
  2. At the end of last year, “Log4J” made it onto the evening news. The vulnerability it exposed in the Java programming environment is now considered the biggest security flaw in the history of the Internet. It allows hackers to execute any system code they want. It is also widely distributed, due to Java being open-source. As a result, many IT managers went into a frenzy at the end of last year to try to counteract all the associated consequences and effects.
  3. In the insurance industry, the most recent victim of a cyber attack was Zurich. The hackers managed to steal their customer data and then post it on the Darknet. Given that the criminals are now upping the ante, potential victims must therefore also take action to prevent corresponding damage.
     

The consequences can generally be divided (according to size) into the following categories: business interruption and restart costs, loss of business data, blackmail, fines, and ultimately reputational damage. Current estimates run into the billions. This is ultimately a reason why it is no longer enough to just repair any operational breaches and get back to “business as usual”; on the contrary, the issue must be given strategic priority.


From compliance to strategy

Since the adoption of the VAIT in 2018, many insurers have already started to address operational deficits in IT security. The solutions range from infrastructural measures, such as patch management, to systematising identity and access controls as well as authorisation management. The latest amendment to the VAIT on 3 March 2022 focussed on the issues of outsourcing to IT service providers, operational information security and IT emergency management in particular.

These measures create the basis for risk-based, targeted and effective information security, which often also meets the requirements of external standards such as ISO 27001. However, continuously supporting active services and controls to manage risks, external and internal threats and incidents, requires IT security to be addressed more sustainably – along several lines of defence.

Strategic programmes for IT security 

Regulatory requirements, especially data protection and data security, require a more strategic approach. This starts with an information security strategy and continues through the corresponding governance, to processes, structures and systems.

As an example, the topic of IT security must be enshrined in the IT development process at an early stage. Involving security experts from the beginning can prevent unnecessary effort and costs before the measures are launched. On the other hand, it also means that lots of expertise and resources will be required for every project. So IT issues will clearly be consuming larger shares of the transformation and operational budgets, which IT management has to take care of.

On the one hand, having a strategic focus allows companies to counter increasing digital vulnerabilities – as a result of the constant stream of new applications and infrastructures – and the increasing numbers (and professionalism) of potential hackers. And on the other hand, it can make a significant contribution to fulfilling and complying with the requirements of the amended version of the VAIT.