Strong economic growth across the global insurance industry has driven a commensurate uptick in cybersecurity spending over the past several years. According to an Ovum report, the global insurance sector is showing the strongest growth in IT spending seen in the last 36 months, and managing security, identity, and privacy is a top priority.
There are several reasons why. Costly legacy systems, along with the impact of disruptive new digital business models, has pushed the industry to embrace next-generation technology in order to meet consumer demands for greater personalization and new digital channels. In fact, the Ovum report found that spending on digital channels and modernizing legacy systems rounded out the top three spending priorities.
At the same time, CIOs must balance that need for innovation with a wide variety of regulations around data security, data privacy, and cyber security—all while dealing with a growing volume of increasingly sophisticated cyberattacks. This has had a twofold effect: the role of Chief Compliance Officer (CCO) has grown in importance, and companies are investing heavily in cybersecurity to avoid the regulatory costs of a breach.
Rise of the CCO
As a highly regulated industry, the role of the compliance function has grown more prominent in recent years. Many compliance departments are rapidly growing, while the role of the Chief Compliance Officer (CCO) becomes ever-more critical. For many insurance companies, the CCO’s influence extends across nearly every part of the business, including board-level visibility. Because of the stringent regulatory requirements of the industry, insurance compliance departments are well-funded, which in turn puts even greater pressure on making sure that cybersecurity does not put regulatory compliance measures at risk.
The High Cost of Insufficient Security
High-profile data breaches such as the Equifax breach have driven increased regulation designed to make sure that that companies, especially insurance and financial services companies, better protect consumer data. Since 2016, federal legislators have passed a series of data privacy, data security, and cybersecurity laws with hefty penalties to incentivize companies to improve security. In 2018, the Securities and Exchange Commission (SEC) issued guidance requiring that security breaches and service outages resulting from cyberattacks must be disclosed within 72 hours. In addition, the SEC made board and C-level executives accountable for risks stemming from cybersecurity, thereby exposing them to class-action lawsuits and SEC scrutiny. The pressure is likely to rise further as state legislatures and other countries add their own regulations.
Moreover, many of the new and existing cybersecurity laws require periodic assessment, documentation, and reporting of cyber risks as part of annual or semi-annual certification, raising the stakes still further. Failure to perform due diligence can result in significant penalties, not to mention the risks faced by the business.
Legacy and Digital IT
According to a Moody’s report, insurance companies are heavily dependent on legacy systems and code—but maintaining them can cost up to 80% of IT’s budget. As the Ovum report notes, modernizing legacy systems is a top priority—not surprising, given the vulnerability risks of legacy technology. As the insurance industry balances the demands of managing legacy systems and embracing digital transformation, it remains critically important for IT departments to build a comprehensive security strategy that uses latest generation of cybersecurity solutions to protect both legacy and modern systems.
Learn more about insurance cybersecurity issues here.
Haggerty is an associate vice president, product and solutions marketing at NETSCOUT.