Orchestrating data privacy and cybersecurity for Indian insurers

India’s insurance industry has undergone a significant digital transformation, leading to a balance where physical and digital insurance touchpoints combine to create a seamless customer experience. During this journey, stakeholders, including insurance companies, brokers, agents, web aggregators, surveyors, or loss assessors, collect, process, and store customers’ personal, financial, behavioral, and health-related data. However, multiple stakeholders accessing such data make the insurance ecosystem vulnerable to potential security breaches.

Because it collects a high volume of critical personal information, insurance remains one of the most targeted sectors. Last April, the Insurance Information Bureau of India, which collects transaction data from insurers for different lines of business, had fallen prey to a cyber breach that compromised customer data. Similarly, in July, bad actors leaked sensitive customer data on the dark web after hacking into the databases of leading insurers. Web aggregators like Policy Bazaar fell prey to system vulnerabilities, exposing critical customer data such as PAN cards and AADHAAR card details.

The Insurance Regulatory and Development Authority of India (IRDAI), in two pioneering guidelines, namely Guidelines on Information & Cybersecurity for Insurers and Guidelines for Insurance E-commerce, sets out frameworks for insurers and related parties to ensure:

• The confidentiality of all customer information.
• Localizing critical information within India, especially where cloud servers are leveraged.
• Privacy and protection controls for the outsourcing service provider or intermediary.
• An assurance strategy (Vulnerability Assessment and Penetration Testing or VA&PT) for data protection mechanisms.
• Regular audits and timely reporting of security incidents.

Three crucial pillars to meet the mandate on customer data

Insurers need to approach customer data from three angles:

• Governance: Implement access policies and design controls across the network to ensure data is used for intended purposes. The governance models that are fine-tuned to specific business processes, such as underwriting or claims adjudication, will help create audit trails.
• Risk: Enforce data classification policies that segment moving data as private, public, and confidential. This could include enforcing non-disclosure agreements and right-protected emails, but a larger part will depend on operational intricacies across stakeholders.
• Compliance: Set up policies, train staff and partners, conduct regular risk assessments, and create internal mechanisms that ensure confidentiality, integrity, availability, and consistency of customer data across all touchpoints and stakeholders in the insurance ecosystem.

How Insurers Can Rise to the Data Protection and Security Mandate

A trusted partner to orchestrate data controls across the insurance ecosystem can help meet security mandates and innovate for the business.

Why Insurers Need a Strategic Technology Partner

• Reimagine internal processes with a secure-by-design mindset: As insurers transition to a digital operating model, they must reimagine long-set processes and embed checkpoints to ensure data compliance, governance, and protection mandates are consistently met. A technology partner with an in-depth knowledge of insurance processes and a deep footprint in designing secure workflows can help reimagine workloads, access policies, and adequate controls.
• Embed threat modeling and disaster recovery: To protect against cyber-attacks or data misuse, a technology partner can help assess risks, take necessary precautions, and be vigilant for new vulnerabilities. Disaster recovery systems replicate databases to maintain data access in a cybersecurity event. Threat modeling is also critical as it enables insurers to actively monitor security posture and identify gaps and mitigate them proactively.
• Adopt a democratized security approach: Insurers must adopt a zero-trust security framework to combat cyber threats. This requires a dynamic access control system that verifies user identity and access policies for every connection. Zero-trust security denies access by default, requiring users to establish credentials, even within the network. This approach helps secure workloads in a shared and distributed IT environment, and the right technology partner with security expertise is crucial for its implementation.
• Work out a cloud strategy that ensures data localization: Most insurers today leverage cloud partners with data centers outside India and run non-compliance risks associated with mandates that restrict the movement of policyholder data beyond Indian boundaries. Insurers need a cloud transformation partner to broker the right deal with cloud service providers with the necessary riders to foster compliance and data security.

Go the Last Mile with Persistent

Persistent has 30 years of experience in product engineering and digital transformation. We help insurers with regulatory compliance and achieving top-tier data security and governance with a 360-degree approach to data protection controls.

Persistent Data Security Overview

• Deep Insurance Expertise: Domain experience derived from working with leading insurance carriers and TPAs, as well as innovative fintechs and smaller institutions across all industry sectors.
• Technology Excellence: A product engineering DNA cultivated over 30 years, with cutting edge technologies, enables us to leverage unique insights to help clients build technology-driven solutions that deliver business results.
• Robust Partner Ecosystem: Established partnerships with leading platform providers (AWS, Google Cloud Platform, Microsoft Azure) and fintechs that enable building the right solution for today and the ability to innovate for tomorrow.

Secure your customer data and workloads with Persistent today! Get in touch with us here.