Is insurance industry data really safe in the cloud?
MELBOURNE – 27 JANUARY 2022 – Digital transformation may be taking the insurance industry by storm, but the stigma surrounding cyber-threats and cloud breaches still looms large.
Many insurance industry companies are embracing the cloud for applications, data storage and modernizing their digital infrastructure. If they’re not, cloud advocates are continually telling them they should.
But how secure is the cloud?
Especially when it means putting the sensitive personal information of millions of insurance industry clients on the internet?
Last month, according to South Australia’s Premier Rob Lucas, “almost everyone” employed by that state government likely had their personal details, including bank accounts and tax file numbers, breached during a cyberattack.
The ransomware attack was against Frontier Software, a company that provides the government’s payroll services. Frontier uses both cloud and on-premise software and storage options.
For insurance companies, could cloud storage and software be a potentially fatal flaw?
“Frazer Walker has had discussions at executive and board level on the risks and benefits of cloud services and how that fits within an insurer’s risk appetite,” said Ian Chisholm (pictured above), a partner at the Sydney-based management and technology consultancy.
Chisholm, an IT expert in the insurance and banking sectors, said it’s about trade-offs between cyber risks and operational and financial risks.
The World Economic Forum recently released its Global Risks Report 2022. Cyber threats featured quite prominently. Carolina Klint, risk management leader, Continental Europe, Marsh, highlighted that cyber threats are now growing faster than the ability to eradicate them permanently. This in turn is making it clear that neither resilience nor governance are necessarily possible with “credible and sophisticated cyber risk management plans,” she said.
During the 2020-21 financial year, the Australian Cyber Security Centre (ACSC) said there were over 67,500 cybercrime reports, an increase of nearly 13%, with estimated losses of more than $33 billion.
“I think it’s a really good question,” said Nigel Fellowes-Freeman (pictured immediately above) CEO of the insurtech Kanopi Cover, as he considered whether the cloud is too much of a security risk for insurance companies.
“I think, generally, when you break most of them down a lot of cyberattacks are the result of password failures, rather than infrastructure failures. So, it’s the configuration of the setup versus actually the infrastructure itself not being secure,” he said.
Fellowes-Freeman said that cloud is a very broad term. There’s a public cloud where everyone shares the same data centres.
“But when you want to get really secure you can use a private cloud. So that’s a cloud environment just configured for you, with only your data on it and only access for your organization,” he said.
Apart from storage, there are all the other benefits that come from cloud computing, including speed, flexibility and affordability, he said.
However, if an insurance company wanted to use a private or hybrid cloud, execution would be key, said Fellowes-Freeman.
“It has to be executed really well,” he said.
On the security side, Fellowes-Freeman said it would be hard to match the security effort of the big cloud providers.
“There’s a really, really big investment from these cloud providers like AWS (Amazon Web Services) and Microsoft in security and data protection,” he said.
Richard Kimber (above), CEO of Daisee, the Australian AI (artificial intelligence) software company, agreed with Fellowes-Freeman. He said the cloud services provided by the big players are very secure.
“We haven’t seen any widespread, successful attacks on any of those providers and I think that’s because the security controls are numerous and multi-layered,” he said.
Kimber thinks the cloud is a lot safer than it’s portrayed in the media. He also said many of the successful cyberattacks are the result of targeting individuals rather than directly breaching cloud security systems.
“There are always going to be vulnerabilities, but it’s a matter of making sure the right controls are in place,” he said.
Chisholm said one big reason insurers are increasingly moving from self-hosting to private and/or public cloud services for their core insurance applications is cost.
“They are much more cost-effective than running your own private data centres, as most insurers did in the 1980s-1990s,” he said. “The costs of owning and operating these large, high-cost assets to the standard now required by regulators, and to meet customer expectations, is prohibitive for most organisations,” added Chisholm.
Chisholm said data centres also require “a small army of IT staff” and around the clock operation which is beyond the capacity of most insurers.
“Keeping those skillsets current and at an appropriate level of redundancy would stretch organisations’ staffing and training budgets,” he said.
There’s also the range of services offered by cloud providers including artificial intelligence, machine learning and Internet of Things data processing.
“Insurers need to focus on their core business and value creation. Being experts in operating data centres is not part of that,” he said.
However, he said, this does come with a new set of risks.
“Namely, having your computer network attached to the internet,” he said.
Chisholm said that’s why regulators, such as APRA, have mandated prudential standards for all financial services institutions to manage internet and technology supply chain risks.
“APRA is well aware of the risks for institutions around customer data assets and has been promoting tripartite risk reviews with CPS 234. Most organisations are to complete the reviews by Sept 2022,” he said.
Chisholm explained that the Office of the Australian Information Commissioner also monitors insurance companies’ compliance with privacy laws, either from cyber breaches or accidental disclosure.
“Consequently, most chief risk officers have teams monitoring and reporting actual or potential privacy breaches,” he said.
There are also Privacy Impact Assessments to identify and mitigate privacy risks in an IT project’s design phase.
“Boards must be cognisant of cloud opportunities and their risks as they are now being held to account for the good governance of organisations’ information and technology,” he said.
So are any big players in the insurance industry cloud deniers?
“The Frazer Walker team has not yet met a complete sceptic on cloud services. The economics and feature-rich environments are just too strong a proposition,” said Chisholm.
Kimber said most of the big banks and big insurers are underway on their cloud migration.
“I think, from an adoption perspective we’re into the late majority who are cloud believers,” he said. “The non-believers are more the minority. But having said that, in some of the legacy institutions and older companies there are still pockets of resistance.”
He credited the cloud-based software company Salesforce with paving the way and jumping the hurdles that are making it easier for other companies to adopt the cloud.
“I haven’t met anybody yet who denies the advantages of cloud computing. But that’s not to say that there isn’t resistance in terms of the transition to cloud computing,” said Fellowes-Freeman.
He said the resistance comes from larger insurers with big legacy technology and infrastructure that require big investments of time, money and resources to make the cloud transition.
“Changing a beast with hundreds of thousands of policyholders and billions of dollars of GWP is a really big digital transformation process and it takes years and years,” he said.
For those who have become the outliers, the pockets of resistance, Chisholm said some of the insurance industry’s smaller IT set-ups can still be satisfied on a local server. Chisholm included proof-of-concept systems, non-critical spreadsheets and some development or low-level testing environments in this list.
There was a caveat or two, however.
“That approach, while cost-effective, may not be ideal depending on the system requirements,” he said. “And remember those systems can still be subject to cyberattacks because most local servers are also connected to the corporate network.”