I recently led a workshop on cybersecurity as part of Novarica’s 11th annual Insurance Technology Research Council meeting. With new legislation in the US and EU, carriers are preparing to handle new security and compliance challenges. Major points of discussion included:
Multi-Factor Authentication
With many carriers doing business in both the US and Europe, secure methods of authentication are becoming an increasing concern. There is no mandated number of identification methods for multi-factor authentication, but the general consensus is to have two at a minimum. Carriers are using multi-factor or its equivalent for any interaction where an external network is accessing information behind a firewall. Some carriers are taking this a step further to include role-based authentication for internal updates or transactions behind a firewall.
NYS Cybersecurity Regulations
While the NYS regulations that recently went into effect are similar to NAIC, they aren’t an exact match. States like Illinois are replicating New York’s efforts, so even insurers that don’t conduct business there should be preparing to meet new standards of security. While the responsibilities under the regulations are the same no matter the size of the carrier, larger insurers are probably facing down steeper consequences than smaller organizations due to the steeper fines that are expected for large organizations. Insurers of all sizes should be focused on compliance.
GDPR and Possible Impact on US Companies
Similar to NYS, Europe has updated its security standards not just for business done within its borders, but for business concerning its EU citizens, even if that business is done outside of the EU, if the controller or processor of data does business in the EU [Article3(1)]. Additionally, GDPR also applies for all business done within the EU [Article 3(2)]. There is some debate about whether GDPR applies to non-EU citizens in the EU or EU citizens not located in the EU (i.e., in the US). Insurers should be especially cognizant of these components of the regulation; the fines are much higher for GDPR non-compliance than for US regulations.
As insurers become more reliant on big data and analytics in their organizations, both US states and the EU are developing new security standards for that information. CIOs are charged with balancing innovation and compliance. To learn more about our research and advisory work with insurers in this area, contact us at [email protected].
Add new comment