DRIVING INNOVATION

2019 - The Year of Cyber Change for Insurance

It’s only a matter of time until insurance professionals in all 50 states will be required to implement a formal cybersecurity program.

Background

It’s time for insurance professionals to embrace change in today’s digital world.  Change helps us grow.  It offers new opportunities.  It allows us to better relate to customers.


According to a recent insurance survey by Ernst & Young, customers are increasingly looking to work with companies who have a strong online presence.  Customers want to research and buy products online, particularly using their smartphones.  Finally, customers crave frequent, targeted, and personalized communications. [1]

Enhanced Digital Presence

Does your agency have a mobile-friendly website?  Do you allow customers to make policy changes online?  Do you have a platform for sending email blasts?  All of these things should be part of your 2019 business strategy.  Enhancing your customer’s digital experience will invariably grow revenue and customer satisfaction.

However, with an improved online presence, your agency’s attack surface will expand.  It is more important now than ever before to have an objective third-party test the security of your public-facing website and IT infrastructure.  Penetration testing is an authorized simulated attack on a computer system, performed to evaluate the security of the system.  It also answers the question “how hackable am I” which, when answered and dealt with, can help you sleep better at night.

The All-Digital Agency

For years, it has been predicted that agencies will move to an all-digital (paperless) workflow.  Perhaps 2019 will be the year your agency implements e-signature and other paperless tools to cut down on wasted time and increase customer satisfaction.  Who wants to receive a contract via email, print it, sign it, scan it, and email it back?  Sounds painful because it is.  Agencies should be looking at ways to digitize workflows and reduce extra effort on the part of the customer.

Even with all the benefits of moving to an all-digital agency, it is important to consider security measures such as where sensitive data is stored, who has access, and how that data is protected with encryption and by other means.

Expansion of Cybersecurity Regulations

Insurance professionals licensed in New York are already aware of the state-level 23 NYCRR 500 cybersecurity regulation which has been in effect since early 2017.  The NAIC has recognized the need for a uniform national cybersecurity standard for the insurance industry.

The Insurance Data Security Model Law (MDL-668) is NAIC’s answer to 23 NYCRR 500.  MDL-668 would require “insurers to implement an information security program and investigate and notify the state insurance commissioner of cybersecurity events. The Treasury Department, in its Report on Asset Management and Insurance, endorsed the model and recommended that Congress should consider preempting the states if it is not adopted in 5 years.” [2]

In other words, it’s only a matter of time until insurance professionals in all 50 states will be required to implement a formal cybersecurity program like that established in New York less than two years ago.  At the core of MDL-668 is a risk assessment designed to identify foreseeable threats to nonpublic information, assess the likelihood of damage due to these threats, and assess the sufficiency of existing safeguards for protecting that information.  Beyond the risk assessment, insurance professionals will be expected to train employees on cybersecurity best practices, maintain comprehensive cybersecurity policies to guide employee behavior and reduce risk, and notify the appropriate entities in the event of a realized breach.

In May of 2018, South Carolina became the first state to adopt the NAIC’s Model Law.  As of January 1, 2019, insurance professionals licensed in South Carolina must follow S.C. 2018 Act No. 171, the “SC Insurance Data Security Act”.

The bottom line is this – if your agency isn’t doing the aforementioned cybersecurity practices, it should start, because cyber legislation is here to stay.  If your agency is already well along the path toward building a mature cybersecurity program, it should continue to refresh policy over time, reevaluate risk as the environment changes, and continue to train employees on proper cyber hygiene.

In Summary

Insurance companies face a choice.  Modernize, digitize, and better utilize today’s tools to increase revenue and customer satisfaction, or don’t.  Implement a cybersecurity program, or don’t.  If revenue protection and growth are goals for your agency in 2019, consider the costs and benefits of implementing some of the cybersecurity measures discussed in this article.

[1] Ernst & Young. (2018, September 06). Five tech trends that will define the future of insurance. Retrieved November 10, 2018, from https://www.ey.com/en_gl/insurance/five-tech-trends-that-will-define-the-future-of-insurance

[2] NAIC (2018, July 11). Cybersecurity. Retrieved November 10, 2018, from https://www.naic.org/cipr_topics/topic_cyber_risk.htm

[3] CB Insights. (2018, March 21). How Blockchain Could Disrupt Insurance.  Retrieved November 10, 2018, from https://www.cbinsights.com/research/blockchain-insurance-disruption