This article first published in Feb 2018 issue of Asia insurance review and reproduced with permission from Asia insurance review.

Insurance companies must take a new approach to protect the wealth of personal data streaming in from vehicles, smartphones and a myriad of IoT devices. Mr. Chris Moyer of DXC Technology elaborates.

In a little over a decade, usage-based insurance (UBI) has transformed from an intriguing new pricing gimmick to a must-have option in the product portfolio.

Nearly 300 insurers globally are now offering some form of UBI to 14 million policyholders in 2016, growing by 32% in just a year. While Asia accounted for only a small percentage of policies, China was among the fastest-growing markets.

Telematics from connected vehicles is just a part of the wealth of data pouring into the insurance industry from a widening array of sources – smartphones, smart watches, smart homes, internet bots, social networks, security cameras, body cameras, health trackers, satellite photos, drones and much more.

Securing data and protecting customer privacy

This data could support innovative ways to assess and price risk, but many insurers are finding they need to overhaul their existing IT environment, move applications to the cloud and support a burgeoning number of mobile and internet of things (IoT) devices. This technology shift is creating new challenges for securing data and protecting customer privacy on the edges of enterprises.

As we embrace mobile solutions and rely on connected applications, we are taking our corporate information assets outside of the traditional enterprise fortress.

Instead of a well-defined enterprise network and a sophisticated layered defence, we now need to focus on the users of the data. For every mobile app launched to support UBI, you have created a new network that did not exist at most enterprises as recently as two years ago, and you have no control of the endpoints.

In addition, IoT devices are gathering data without mobile apps. For example, MSIG Insurance, based in Singapore, announced in July a “pay-how-you-drive” car insurance policy that utilises a plug-in telematics device to track driving behaviour.

The company will pay to install the device in the vehicle, which tracks more detailed information including distance, speed and driving style, such as cornering, acceleration and braking, and give policyholders a colour-coded analysis of their driving behaviour.

New threats to the enterprise

In the past, security operations teams needed to worry about safeguarding only a dozen or more entry points, which were handled by firewalls, antimalware, identity management and vulnerability scanning.

Today, add to that millions of smartphones, mobile apps and IoT devices used by customers, employees and partners, and large enterprises can easily lose sight of threats at the perimeter. Insurers are going to need to extend the visibility they have built into their corporate enterprise network to these new consumer-driven networks.

Influencing behaviour

Insurance companies are not only using this data to evaluate risk, but also to influence customer behaviour. Manulife, for example, recently started offering customers in Hong Kong and Macau an Apple Watch, with the ability to earn rewards and discounts by regularly closing all three Apple Watch Activity Rings. Members can earn a 5% discount by averaging 5,000 steps a day and 10% for 10,000 steps.

Extending monitoring to detailed health indicators such as heart rate, sleep patterns, temperature and more will allow insurers to customise offers to individuals.

Insurance companies have policyholders, claimants and agents accessing information across multiple devices and multiple locations. They are demanding the same kind of high-quality user experience they get when they book a flight with an airline or order a product online from the likes of Amazon. They expect accuracy, responsiveness and intuitive engagement.

Insurance companies need to transform many of their processes to fit into this digitally driven relationship with policyholders.

The industry’s goal should be to embed security intentionally into all these new consumer-based applications. This is an ongoing set of activities that we continue to work on with our insurance clients to provide simple, easy-to-use solutions. It requires a holistic approach to the overall enterprise and solutions based on the organisation’s risk tolerances.

Addressing the rapidly changing enterprise threat horizon

Hackers have always targeted banks, insurance companies and credit agencies for the financial and personal data they hold. In this “brave new world” of consumer-facing apps and IoT devices, criminals are creating new opportunities to monetise stolen data.

While smartphones and connected vehicles are being used to track miles driven per month, in reality, these two types of devices can track nearly every movement and communication customers make.

Think about it from a criminal’s perspective. By knowing the information you have shared in a consumer-facing app, I now know where you live, where you work, what time you drive to work, and what time you come home from work. It is way beyond just a person’s financial information. It is really a person’s life.

Cybercriminals are increasingly sophisticated and collaborative, creating rapidly changing threats and new intrusion strategies. Security operations teams must be constantly looking across the enterprise threat horizon to anticipate new attacks and identify compromises.

Even well-patched and endpoint-protected enterprises are vulnerable. Organisations today need segmented networks, enhanced privileged access management and sophisticated detection capabilities.

Recently, ransomware attacks have increased worldwide. While ransomware has been around for years, criminals are now stealing personal data and holding it for ransom and threatening to expose it to the world – in some cases enlisting the media to increase the pressure to pay. So, insurers not only need to secure the enterprise, but they also need a clear policy and strategy for potential negotiations with criminals.

Customer privacy in focus

High-profile data losses are fuelling concerns over customer privacy and the rights of individuals. This is driving sweeping changes in security and data management all over the world.

Coming on the heels of new data privacy laws that went into effect in Japan and China in 2017, the European Union’s General Data Protection Regulation (GDPR) will go into effect in May 2018. GDPR ensures customers’ rights to control who accesses their data and profiles, how long data can be stored, when it needs to be erased and who is notified in case of a breach. It applies to any company that sells goods or services or monitors the online behaviour of EU citizens.

What is the best approach in this new climate? Know the existing regulations, track emerging standards and look for ways to differentiate your company from the competition in how you protect your policyholders’ privacy. Look to these regulations as an opportunity to improve security, data management and digital business practices for handling data.

Instead of viewing data protection as just another mandated compliance activity, insurers should view it as a way to gain trust with policyholders, improve the overall management of data and eliminate data duplication. In fact, a recent DXC Technology study found that up to 40% of an enterprise’s data is duplicated or unnecessary.