Securing a Digital Insurance Ecosystem [A Primer]

The Automated Insurer | Digital Transformation

By Mike de Waal | 25 octobre 2022

Key Points

There are many actions insurers and their cybersecurity teams can take to mitigate evolving risks:

  • Ensuring your ecosystem partners have stout cybersecurity certifications and practices can make it much harder for cybercriminals to steal valuable assets. 
  • Adopting preventive measures such as a zero-trust security model can limit access points for cybercriminals, increase visibility into cyber threats, and protect customer data. 
  • Incident response teams can stress-test new security models and systems to find vulnerabilities and make the proper adjustments. 
  • Additionally, enabling open-source security allows insurers and their partners to share security tactics, cybersecurity software, and data on recent cyberattacks with each other instantly. Insurers and their partners can use the shared data and resources to prepare for different threats. 

Digital ecosystems are an essential part of the insurance landscape today. In fact, 84% of insurance executives say ecosystems are critical to their strategy, and McKinsey indicates ecosystems will account for 30% of global insurance revenues by 2025

While ecosystems provide insurers with tremendous opportunities for growth, cybersecurity teams and IT departments face a number of challenges. 

With 12.3 billion active IoT device endpoints in the world today, the nature and volume of cyberattacks are evolving and escalating, posing a severe threat to the insurance industry’s digital ecosystems. Gartner predicts that by the end of 2022, application programming interface (API) attacks will become the most-frequent attack vector, causing data breaches for enterprise web applications.

Common cybersecurity challenges in a digital ecosystem include: 

  • Lack of control and visibility across assets stored in the cloud and application components. 
  • Digital ecosystems, particularly microservices, expose new entry points to internal and external actors. 
  • Data generated in microservice architectures moves, changes, and is constantly interacted with. As a result, data breaches occur regardless of the communication channel’s exposure, and cybercriminals can take advantage of vulnerabilities to obtain private assets.

There are many steps insurers are taking to mitigate cybersecurity incidents in their digital ecosystem.

Cooperation Between Ecosystem Partners

The most successful cybercriminals work together, and insurers need to do the same with their partners, third-party vendors, and competitors.  

87% of business and IT executives say that to be resilient, organizations must rethink their approaches to security in a way that defends not just themselves but their entire ecosystems, including partners.

Open-source security is enabled by the voluntary collaboration of software developers and security teams. Multiple parties need to keep track of data on threats and other cybersecurity events they’ve witnessed. Insurers must then be transparent with each other and share the knowledge they’ve obtained to find the most common forms of attack. 

Additionally, insurers and their vendors can open-source the security tools to receive feedback from their partners and make their in-house protections available to others. 

All parties can learn from the information obtained from previous cyber incidents and analyze their security tools to create a universal cybersecurity defence for ecosystems.

Invest In Early Detection

Early detection of cybersecurity breaches is crucial in an open-source digital ecosystem. Otherwise, a cyber-attack can sit undetected for weeks. Efficient and quick detection and response will help determine the source of the attack, the systems targeted, extent, and cause. Then, the threat can be neutralized before damage is done. 

Security information event management (SIEM) software can help companies detect potential security threats across a company’s network before impacting business operations. 

Data from applications, cloud environments, and networks can be gathered and analyzed as soon as it’s captured. This allows security and IT teams to automatically manage their network’s event logs and network flow data in one location.

Zero-Trust Security Models

Many organizations are establishing zero-trust security models to protect their digital ecosystems. In fact, 60% of organizations in North America are currently working on zero-trust projects, and roughly 50% of insurance and finance companies say zero-trust security models are a top priority for their business. 

A zero-trust architecture is a broad framework that protects an organization’s most valuable assets. It works by assuming that every connection and endpoint is considered a threat and seeks to secure the protected surface of an organization’s data, assets, applications, and services. The framework protects against these threats, whether external or internal, even for those connections already inside. 

Additionally, a zero-trust security model examines if the connection adheres to the organization’s security policies and practices. Access restrictions enable users only to obtain the information they need and nothing more. 

Insurers that still use legacy systems could struggle to implement and sustain a zero-trust security model. A zero-trust security model must control user access and allow constant dynamic verification and authentication at all times. Older applications may not provide this level of validation, authentication, and continuous surveillance, making it impossible to obtain this type of security model across all properties.

Invest In Thorough Authentication Protocols

Insurance companies looking to implement a zero-trust security model need to continually invest in technology that limits opportunities for potential attackers. Tactical solutions such as Privileged Access Management (PAM) SaaS can help insurers restrict the number of attack surfaces cybercriminals can exploit. In addition, it can also prevent the harm caused by external or insider attacks.

Credentials must be validated before a privileged user can enter a system, and policies are often made to limit the user’s actions. In addition, its security tools use powerful automation and user-friendly features to create privileged access programs and zero-trust security frameworks.

Data Segmentation

Data segmentation is imperative for securing a digital insurance ecosystem.  Data segmentation ensures customer and company data and other resources cannot be accessed by default, and users can only obtain the data briefly, in the proper context.

Segmenting individuals and their time on network servers effectively increases visibility and security in a digital ecosystem. 

Implementing distributed resource protection mechanisms (DRPM) is an effective approach to facilitating data segmentation. DPRM obtains client or partner profiles and provides capability tokens if deemed eligible. 

It’s critical to enable time limits and short-life capability tokens to limit how long a user can access resources. Additionally, as the trust between users and resource providers increases over time, resource providers can grant users longer timestamp validity.

Stress Testing

A stress test can be defined as inducing severe conditions on an application, system, or software to determine where vulnerabilities in your defences lie and fill the gaps before cybercriminals can access your company’s or partner’s network. 

A study by IBM says organizations who formed incident response (IR) teams and stress-tested their IR plans saw their data breaches cost $2.46 million less than organizations without an IR team or tested IR plan. 

There are many ways insurers can facilitate a stress test. 

For instance, some companies hire outside investigators to try and break in or expose vulnerabilities in their computer systems and networks. For example, First American Bank pays outside investigators roughly $10,000 a year to try and hack into and find vulnerabilities in their network systems. 

The most effective way to pressure test a security process is through a real-world simulation. These types of tests can examine how your team would react when faced with a significant cyber threat. 

Cybersecurity Evaluation of Ecosystem Partners

Accenture finds that 97% of insurers believe they have what it takes to be an attractive ecosystem partner. However, only 26% of insurers believe that their ecosystem partners are working as diligently as they are to improve their security resilience. 

Insurers must conduct some form of a security review or audit of potential partners before embedding them into their ecosystem.

As insurance companies grow their digital ecosystems with third-party vendors (e.g., software-as-a-service, cloud service providers), it is critical to seek out service providers with strict data-handling procedures and strong cybersecurity credentials.

Service Organization Control 2 Certification (SOC 2) 

One highly respected certification is SOC 2. Developed by the American Institute of CPAs (AICPA), a SOC 2 certification is an industry-standard auditing procedure and internal controls report that ensures service providers uphold specific standards when handling customer data. 

To obtain a SOC 2 certification, outside auditors such as the American Institute of Certified Public Accountants assess how a vendor complies with IT security compliance requirements.  

The auditors specifically examine the effectiveness of policies and systems on data security, processing integrity, confidentiality, and customer information privacy.

Securing the Future of Insurance

While there are risks associated with trusting vendors with customer data, transaction information, and other assets within a digital ecosystem, the benefits of these systems ensure they are here to stay. 

Cyber threats are constantly evolving – it’s essential for insurers and their partners to monitor new threats and work together to mitigate cybersecurity risks within their ecosystems.

Get the latest insights to your inbox

Mike de Waal

Mike de Waal is president and founder of Global IQX, an Ottawa-based software provider of AI-driven sales and service solutions to employee benefits insurers.  He has deep experience in both software development and business management skills. Early in his career, he worked as a computer programmer and then went on to become a financial planner and a benefits consultant with giant Manulife Financial before becoming a tech entrepreneur.  He can be reached at [email protected].