Delivering value with cyber security in the insurance sector

Like many businesses in Aotearoa New Zealand, the insurance sector is feeling the pressure of current circumstances. Economic and geopolitical uncertainty, along with the current and future impact of natural disasters and global warming, is changing the perception and reality of risk for all customers. Simultaneously, technology advances, changing regulations, supply chain risk, and people availability all impact the way we respond to the risk environment.

For most businesses, delivering measurable value cross every project and operational expense has become even more important in recent times, and the insurance industry is not immune to this. This is partly because in insurance the level of risk exposure and required compliance are often much higher than the average business.

KPMG recently released some global insights on cyber security considerations for the financial services sector.

In this article we take some of those insights and put them in the context of adding value to insurance companies through their cyber security spend, looking at several priority areas:

For many insurance organisations, we believe that identity has the most potential to add significant and long-term value while also measurably reducing risk. Identity-based attacks have been the overwhelming trend for the past two years when it comes to successful cyber security breaches. Although identity-based attacks have always been an issue, the proportion of successful attacks attributed to identity has increased markedly. The particularly worrisome aspect of this is that these attacks are often much more difficult to spot, and it can be relatively easy for attackers to steal sensitive data and cause other damage. Based on data collected by CrowdStrike, 75% of all detections are malware-free activity and usually involve identity techniques. This means that protecting your environment through security measures that don’t factor in identity will often be insufficient.

It’s also important to consider the total cost of identity management. Doing it right can significantly reduce the people overhead of trying to address identity-based security anomalies; and that’s before considering the potential cost of a breach. The big cost-saving opportunity, which may not be so obvious, is related to how you interact with customers. A well-designed identity estate significantly reduces identity fraud; and any type of fraud comes with a quantifiable cost impact to the business’s bottom line. Fraud also has a very real cost to your customers and regulatory bodies are expecting financial institutions to do more to protect consumers from fraud. Identity management is one of the most effective ways of achieving this, particularly now that AI is making fraudulent activity easier. Furthermore, better identity governance, processes and systems will reduce process friction for staff and customers. It enables the automation of processes and the safe sharing of data – while also reducing manual verification requirements and human error.

The human experience side of identity is also an opportunity for retaining customers. Savvy consumers expect their insurer to do this stuff right – and like it even better if it improves their user experience too. It will be a key driver of how often they need to talk to you, and generally contributes to improved customer satisfaction.

We’ve been discussing the value of data for many years, usually how we’re not tapping its value enough. With the plethora of opportunities emerging on how we can use generative AI, particularly large language models, the pressure on extracting value from data has gone up exponentially. On the flipside, the most damaging breaches in recent years have been damaging precisely because data governance, management and security have been under-cooked.

In insurance the data risk is huge – with a trifecta of identity data, personal financial data and personally sensitive information all being received from customers daily. Obviously there is also organisational data – which has a different risk profile, but still a high one, particularly if the company is publicly traded. However, focusing on only the risk can hide the benefits. More and more insurance companies have been leveraging the data they hold on customers to significantly improve the customer experience and reduce the need to directly interact with customers. This helps with the retention and satisfaction already discussed above and is often considered table stakes by many consumers. I know I wouldn’t accept not being able to access my insurance details on the app my company makes available.

All of these factors are increasing the immediate return of doing data better. Almost every organisation has room for improvement and the returns are worth it. Start with ensuring data governance is getting enough attention. Every organisation should understand what data they have, where it is, how it is being accessed, and by whom. This understanding needs to be constantly updated and transparent. Continuous data management will make business process automation, AI, and data security significantly more achievable. Starting with data governance and management also makes it easier to assess new technology investments and make choices that will truly move the dial. Too many organisations are throwing technology at their data problem without making the organisational changes that are needed to go with the technology.

Solving the identity challenges discussed earlier is a major enabler to using your data better, as it directly addresses who has access to what data and when. It also helps you catch anomalies that could signify a breach before it happens or enable you to stop it early.

Cyber Risk Quantification (CRQ) is important because it’s all about measuring risk using quantifiable data and making value-based decisions as a result. For example, helping answer questions like:

What should I invest in because it’s going to reduce my cyber security risk the most?
What cyber decision or investment will generate the most benefits for our organisation?

This area has had a lot of focus from KPMG recently and globally there is a cyber industry trend towards CRQ approaches, rather than only relying on criteria-based assessments. Traditional assessments will usually rate the criticality of a risk based on the standard risk matrix approach of weighing likelihood against impact. Because impact is often very high, the criticality of many risks can end up looking pretty grim. However, three things are often unclear in this approach – what is the risk when I weigh it against my organisation, industry, and global context; what should I do about the risk; and where will I get the best return on my [cyber security] investment (ROI). This last ROI area is often the biggest differentiator from other assessment types and is central to the KPMG approach.

As discussed, there is a strong focus on value for money in the current environment. Using CRQ helps you have a value-based discussion with all stakeholders, including the board; it informs decision-making across the cybersecurity portfolio; and puts real dollars into any discussion about how you deliver value with your cybersecurity programme.

The insurance sector is well positioned to take a fact-based and value-driven approach to improving cyber security maturity and building out cyber security programmes of work. Not all cyber security ‘high-priorities’ should be treated equally, particularly in a sector exposed to unique external and internal risks that shift the balance of investment when viewed through a value-based lens.