Intro
In 2024, a startling 39% of IT leaders in the insurance industry identified cybersecurity risks as the biggest threat facing their organizations. For insurtech companies, this is not just a statistic – it’s a reality they’ve lived with for years. The reason is simple: insurance is one of the most data-hungry industries around. From policyholders’ personal information to the massive influx of data from IoT devices, the amount of sensitive data flowing through the system is staggering.
As Rory Yates, SVP of Global Strategy for EIS, explains, “Insurers collect vast amounts of data to calculate how they can reduce the financial burden of risk in a pooled and capital-invested model. It’s a massive data exchange built on trust and financial leverage.” But with this wealth of data comes a challenge: how do insurtechs manage it securely?
For many insurance companies, especially the larger players, the answer is anything but straightforward. A recent survey of 600 global executives revealed a staggering complexity in their data management strategies, with half of them relying on five or more technologies to support their data goals. This not only creates technical debt but also disrupts the data supply chain, making transparency, quality, and governance incredibly difficult to achieve.
As the volume of data grows, so does the need for a robust data security strategy. This is no longer just an IT problem; it’s a business imperative. In this article, we’ll dive into the data security best practices that can help insurtech companies navigate this complex landscape and ensure that their most valuable asset – data – is properly protected.
Insurers must act as data security ambassadors
Insurance companies manage large amounts of sensitive customer information, including personal details like addresses, health records, and financials. This makes them a prime target for cyberattacks. From a consumer’s perspective, it’s the insurer’s responsibility to protect this data and use it only for its intended purposes. Maintaining that trust is essential not just for business success, but also to meet the growing demands of regulatory compliance.
The risks of a data breach are not just financial but reputational. Penalties for data protection violations are steep. For example, the California Consumer Privacy Act imposes fines of $2,500 per violation, or $7,500 for intentional breaches. Similarly, GDPR in the EU can issue fines up to 20 million euros or 4% of global turnover, whichever is higher.
What insurance must also be aware of here is that consumers today are more aware of how valuable their personal data is. They want to know how their data is being used, stored, and protected. It’s about more than just complying with regulations – it’s about showing customers that their data is in good hands.
Best practices for protecting customer data
1. Introduce privacy by design & privacy-first approach
A privacy-first, and privacy-by-design approach is essential to guarantee that personal information is only used when absolutely necessary. For insurance companies, this means assessing if personal data, such as health information, is truly needed for tasks like underwriting a life insurance policy.
It’s about ensuring that only the data required for risk assessment is collected, and avoiding asking for unnecessary sensitive details. This way, privacy is built into every project where personal information is involved, and only data that is essential for the business process is stored.
As insurtech continues to rely on IoT devices, AI, and 5G, building security by design is more important than ever. Many IoT devices used for risk assessment and underwriting lack strong cybersecurity, which can leave sensitive data vulnerable to breaches. The shift to 5G brings its own set of challenges, including complex encryption and decentralized operations that make monitoring and detecting threats more difficult. Addressing these issues upfront helps ensure that both data and customer trust remain secure as the industry evolves.
These technologies can be applied for a variety of insurance types and use cases. For instance, a travel insurance mobile app could trigger location-based emergency assistance by accessing the policyholder’s GPS location. Location data is only stored temporarily and deleted once the emergency is resolved.
The app transparently communicates how location data is used and offers simple controls for turning location sharing on or off. This approach ensures timely assistance while respecting the policyholder’s privacy.
2. Build security awareness and offer training
For insurtech companies, navigating the fragmented regulatory landscape can feel like a never-ending challenge. In the U.S., each state has its own data privacy and security laws, such as the New York Department of Financial Services (NYDFS) Cybersecurity Regulation and the California Consumer Privacy Act (CCPA). On the global stage, insurtechs must also comply with the General Data Protection Regulation (GDPR) in the European Union.
The lack of uniformity across these laws makes compliance not only complex but also costly and time-consuming. Many companies struggle to create a standardized framework that ensures compliance across multiple jurisdictions, especially as regulatory bodies often fall behind the rapid pace of technological advancements.
But compliance is just one part of the puzzle. Security is everyone’s responsibility, and the human element remains one of the greatest risks. Ensuring that all employees and agents are properly trained on security awareness is crucial, particularly in preventing phishing, social engineering, and other common threats. Beyond internal measures, managing supplier security has also become a key focus. It’s vital that third-party vendors share the same commitment to security, with robust controls in place to protect customer data. Regular risk assessments and ongoing education are essential to mitigate these risks and safeguard both customer trust and business integrity.
3. Create a strategy for controlled release of sensitive data
Naturally, the solution for insurtechs isn’t to limit data exchange to a point where innovation opportunities are blocked. After all, an insurance company impacts a wide array of industries and aspects of daily life, from healthcare to property and business, making it reliant on the seamless exchange of data to effectively assess risks, optimize services, and meet regulatory requirements.
So, it’s crucial to approach data sharing carefully. This is where the concept of controlled release of sensitive data comes in, where an organization ensures that information is shared securely and responsibly with third parties.
Insurance companies must understand that they function as both data controllers and data processors, because they not only collect and control sensitive data about their clients, but also process data provided by other entities.
Hence, when your company develops rules for controlled sensitive data exchange, it should balance compliance with privacy regulations with protecting business interests. Namely, sensitive business data must be carefully handled to prevent the leakage of strategic information that could result in financial losses.
4. Automate data classification
Another method to enhance data security that we recommend at Clurgo is implementing automatic data classification. This is where AI can speed up the classification process, ensuring every file or piece of data is properly labeled and secured.
Having such a system is about more than “simply” organizing data; it allows you to track where sensitive information, such as personal or financial data, resides – whether on employee laptops or being shared through email. By monitoring how and where this data moves, insurance firms can maintain better control, reduce risks, and comply with privacy regulations.
5. Use multi-factor authentication
Securing cloud environments is a top priority for insurtech companies, especially as they handle sensitive customer data. One of the most effective ways to protect cloud systems is through multi-factor authentication (MFA). MFA requires users to provide two forms of identification – something they know (password) and something they have (mobile phone or fingerprint).
According to America’s Cybersecurity Defense Agency (CISA), enabling MFA reduces the risk of account breaches by 99%.
Even with strong passwords, hackers can exploit reused passwords from previous data breaches. MFA ensures that even if a password is compromised, an additional verification step prevents unauthorized access.
Zero Trust is another essential approach, assuming no user or device, even inside the network, should be trusted by default. This model requires verification before granting access, focusing on controlling cloud access and ensuring devices comply with security measures like antivirus and encryption.
While cloud technology has advanced, tools for auditing and ensuring compliance have struggled to keep pace. Moving data and services across jurisdictions is now easier than ever, increasing the risk of falling out of compliance without proper oversight.
So, the question of course is: how do you implement Zero Trust within your environment? The key here is to define security policies, which is an element of governance. There are several questions in a webinar on insurtech data security hosted by Xenit, which we agree that your IT department should answer. Each focuses on a different domain of cybersecurity identity:
5. Use centralized authentication with an API security gateway
APIs act as the gateway for external users, making them a prime target for cybercriminals. While the core system may be protected, the API is often the weakest link. To safeguard against breaches, insurtech companies should implement advanced security measures such as future tokens, centralized agents, and strong verification processes, ensuring that only authorized users can access sensitive data.
For insurtech applications, which handle large volumes of sensitive client information, encryption of data in transit is essential. Technologies can provide added protection to secure this data.
Insurtechs need standardization. Many organizations still rely on unique login credentials and authentication processes, which can create security vulnerabilities. By streamlining and standardizing authentication systems, insurtech companies can ensure consistent and robust security practices, particularly when managing external traffic. This approach helps reduce risks and ensures compliance with industry standards.
6. Implement two-way SSL/TLS for internal system communications
Sensitive customer data and financial transactions are at the heart of operations in insurtech. Two-Way SSL/TLS authentication provides an added layer of security by ensuring both the server and client authenticate each other before encrypted communication takes place. This mutual authentication is especially crucial for insurance companies, as it protects data during internal and external communications, preventing unauthorized access to sensitive information like customer details and claims data.
SSL certificates are essential for verifying the identities of both parties in communication, ensuring the secure exchange of data between insurers, partners, and customers. Insurtech companies can either use a public Certificate Authority (CA) like DigiCert for seamless external communications or set up an internal CA for tighter control and cost savings. Regular renewal of these certificates ensures continuous protection.
To maintain robust encryption standards, insurers should enforce the use of TLS 1.2 or 1.3 and disable outdated, vulnerable versions. Automated tools to track certificate expiration and certificate rotation policies will help insurtech companies prevent potential breaches and safeguard against data theft or loss. By implementing these practices, insurance companies can enhance the security of their systems, maintaining customer trust and regulatory compliance.
7. Implement the AWS cloud with Infrastructure-as-code and containerization
Migrating to the AWS cloud can provide a structured, secure, and scalable approach to modernizing your IT infrastructure while ensuring compliance and resilience. Particularly, when combined with the Infrastructure-as-Code (IaC) approach and data containerization practices.
With IaC, your cloud environment is built and managed through automated scripts, eliminating human error and ensuring security best practices are consistently applied across all deployments. This reduces vulnerabilities and improves governance.
Containerization further helps support cloud storage security, as it isolates applications and their data, preventing unauthorized access and minimizing the impact of potential breaches.
Each container runs its own environment, which means vulnerabilities in one container don’t affect others, reducing overall system risk.
Containers also simplify the process of applying security patches and updates quickly, ensuring systems stay protected from known threats. AWS tools enable constant monitoring of container activity to detect any unusual behavior, adding an extra layer of security.
Furthermore, containers are portable and flexible, allowing for consistent security across different environments. They ensure that applications run the same way in any setting, whether in testing, staging, or production. This makes it easier to manage security and compliance, particularly when working with sensitive data. By using encryption and maintaining strict access controls, AWS helps protect data at rest and in transit, enhancing both security and compliance with regulations.
Protecting data requires industry expertise and multi-level security measures
Implementing the right data security standards requires access to both industry and technological knowledge. However, there is a shortage of professionals in the field, which can further exacerbate security risks. If your organization doesn’t have the necessary expertise in-house, then we encourage you to get in touch.
Clurgo takes a comprehensive approach to data security, going beyond basic compliance to offer proactive protection for insurance enterprise systems. Our solutions include automated data classification and controlled data release, which help reduce risk and ensure regulatory compliance.
We also offer advanced authentication methods and secure cloud infrastructure to safeguard insurance companies’ most valuable asset: customer trust and loyalty. By partnering with Clurgo, you’re investing in data security that not only protects your business but also gives you a competitive edge and ensures long-term stability. This isn’t just about avoiding penalties; it’s about securing a strong future in the increasingly data-driven insurance industry.