Case Study: Why Data-Centric Security Is a Must-Have for the Insurance Sector

Insurance is fundamentally a data-driven business. The insights that carriers can extract from the vast volumes of customer data they process can add huge competitive advantage–enabling them to detect fraud and optimize premium pricing more effectively. But this often highly sensitive data is also a risk in itself—from a compliance and a potential breach perspective.

All of which makes the case for a cybersecurity strategy based first and foremost around data protection. With this in mind, two Fortune 500 insurance providers recently turned to comforte’s SecurDPS platform.

What keeps insurance CISOs awake at night?

Insurance carriers have a range of data security and management challenges. These include:

Complex and dynamic data environments

Typically, the larger insurers hold vast volumes of data on their customers. While some of this might be obscure sensor-related data generated by IoT devices, much of it is personally identifiable information (PII) that could be highly regulated. Data environments may grow ever larger following M&A activity. But that also means that this information is often siloed according to the specific subsidiary it is related to. This can make enhanced discovery and classification of data essential.

Adding to these challenges is that fact that PII can exist as structured, semi-structured or unstructured data. This makes it more important than ever to identify, tag and protect all data, no matter what form it takes. It’s particularly challenging in the case of unstructured PII that is captured and recorded informally.

What’s more, these data environments are in constant flux, as new information is added and old data purged.

Legacy tools

Many insurers are also limited by their legacy investments in technology. These may sit at odds with what they want to achieve with cloud transformation and IT modernisation projects. Legacy data protection tools in particular are a poor fit as they often don’t allow utility without compromising on security.

NACHA compliance

Insurers, of course, operate in a highly regulated industry. One such set of rules is NACHA. This is similar to PCI DSS but goes beyond cardholder data to include PII – such as, driver’s licenses, bank account information, policy information and SSNs, in structured and semi-structured format.

Threat actors

The bottom line is that such information is highly lucrative for cyber-criminals, making the sector a popular target. Among the most recent breach victims are Pan-American Life Insurance Group (PALIG) and Keenan & Associates.

Two case studies

comforte recently partnered with two Fortune 500 insurers including:

1. A major provider of P&C, life insurance, annuities, retirement investment, homeowners, automotive, and workers’ compensation lines. It required:
   • A more agile and scalable solution as it moves to cloud-based applications for machine learning and analytics—including the ability to discover and protect semi-structured sensitive data within free text fields
   • Utility of data, as it moves to cloud-based data analytics to provide the insight needed for better risk management, reduction and prediction. The company’s existing data masking solution would have exposed live data in an AI-based analytics environment
   • Support for zero trust amidst onboarding of multiple new SaaS apps. Again, legacy data protection tools only protect the data after it has already entered the cloud, which presents a major security gap
     
     
2. A major P&C insurer which required:
   • A fully autonomous sensitive data discovery and classification engine to integrate with existing data privacy and security solutions. It was concerned that without such a solution, these tools would not perform as intended. And it feared the existence of dark data exposing the organization to extra security risk
   • An automated solution to replace its highly manual and static classification and discovery tool, which exposed the organization to human error
   • A solution to integrate neatly into security and compliance solutions available via the Microsoft E5 license application suite, and other third-party solutions governance, risk management, and compliance (GRC) and data loss prevention (DLP)

How data-centric security can help

The comforte platform is designed with exactly these challenges in mind.

It’s able to automatically and continuously discover unknown repositories at speed and scale—locating sensitive data and understanding what it is used for, where it’s used and which applications are processing it. This extends even to cloud environments, providing customers with a clear picture of where risks are and where additional controls are needed to meet new compliance and risk reduction mandates.

The platform is also able to apply data protection selectively while preserving utility. That means it can automatically locate sensitive data elements within a freeform text field, and apply the right form of protection based on a customer’s policies. And even where protection has been applied, the data can be kept in a recognizable format to enable machine-learning and sentiment analysis.

It is also cloud and DevOps friendly, to protect data truly end-to-end—from acquisition to operations to data analytics platforms in any cloud.

How it worked out

1. Thanks to comforte, the first provider was able to achieve:
   • Seamless NACHA compliance, and mitigate compliance risk for future regulations thanks to its configurability
   • Effective fraud prevention and business insights thanks to the platform’s data utility capabilities
   • Data governance and risk reduction. The organization can now effectively identify sensitive data, protect it properly and monitor ongoing changes in the data ecosystem.
   • Accelerated digital transformation with support for cloud and DevOps
     
     
2. The second insurance provider has comforte to thank for:
   • Continuous and comprehensive data discovery in non-targeted repositories, including the discovery of a large volume of dark data. This has increased its ability to assess and mitigate data security risk
   • Powerful automation which frees up client resources to take on higher value activities related to growth, rather than regulatory compliance
   • The ability to apply global data privacy, governance and security policies across structured and unstructured data residing anywhere on corporate networks
   • A single source of truth approach that reduces false positives, enhances accuracy and minimises human error in discovery and classification

Leading by example

These are just two examples of the power of AI-powered data-centric security in the insurance sector. There are many more. As long as data remains the driving force behind the insurance business model, carriers will require intelligent solutions to mitigate compliance and breach risk whilst preserving utility.