Strategies for mitigating data risks in the insurance industry

Authored by Conjeevaram Baradhwaj, Executive Vice President (Legal & Compliance) and Company Secretary at Future Generali India Life Insurance Company Ltd

Introduction

The insurance industry is uniquely positioned as one of the sectors that handle a substantial amount of personal data. This is especially true for life and health insurance, where sensitive personal information about policyholders is central to underwriting and servicing policies. The fundamental principle of utmost good faith governing insurance contracts necessitates the disclosure of personal and sensitive information. This makes it imperative for insurance companies to implement robust strategies for protecting personal data, managing data-related risks, ensuring confidentiality, and preventing information leaks.

Types of Personal Data and Data Leakage Risk

In the insurance sector, personal data is processed by various entities, including insurance companies, agents, intermediaries, and vendors. The journey of this data begins with distributors collecting customer information, including KYC documents and proposal forms with personal details. Subsequently, this information flows to insurance companies for underwriting and policy issuance. Additionally, activities such as policy printing and premium collection involve sharing customer data with third-party service providers. At each juncture of this data flow, there is a notable risk of data leakage, necessitating the implementation of robust information security controls.

Legal Framework on Data Protection & Information Security

The Indian insurance industry operates within a comprehensive legal framework for data protection and information security. Three key legislations establish this framework:

Information Technology Act, 2000 (IT Act) and SPDI Rules 2011: The IT Act mandates organizations to establish reasonable security procedures to safeguard information from unauthorized access, modification, and disclosure. The SPDI Rules require organizations to have a Privacy Policy covering personal information, including sensitive data. Consent from data providers is necessary for collecting sensitive data, and data usage must align with the specified purpose.

Digital Personal Data Protection Act, 2023 (DPDP Act): This newly enacted law emphasizes obtaining prior consent for sharing personal data, whether sensitive or not. Data fiduciaries must notify data principals about data processing purposes, rights, and grievance redressal. If data fiduciaries outsource data processing, they remain responsible for data protection. Customers have the right to withdraw consent.

Information & Cyber Security Guidelines of IRDAI: The Insurance Regulatory and Development Authority of India (IRDAI) has established guidelines for information and cyber security. These guidelines define the roles and responsibilities of information security personnel, control measures, and governance frameworks for insurance companies and intermediaries.

Data Security

Data security begins with data classification based on sensitivity and confidentiality levels, such as "Confidential," "Restricted," and "Public." For instance, personal sensitive information in life insurance, like medical history and annual income, must be restricted to a select few. Confidential information should be clearly labelled as such to emphasise the need for data protection. When transferring confidential information outside an organisation's network, including over the internet, encryption should be mandatory to prevent unauthorised access. Mobile devices, frequently used for data transfer, should be equipped with file-based encryption software and hardware encryption to ensure that only authorized personnel can access data.

Identity Verification

Robust identity verification methods are essential to prevent fraud and protect investor data. User IDs should be granted only after thorough verification, and password policies should mandate strong passwords with special characters. Users should be required to change their initial password immediately after the first logon. Access to an organisation's environment, including the network, should only be granted upon approval from HR, and access rights should be revoked through a formal de-registration process. Each user ID or account should uniquely identify only one user, holding individuals accountable for actions associated with their user IDs.

Data Access Controls

Effective data access control is crucial, based on a "need-to-know" basis. Access control should adhere to principles like 'User Authorization' and 'Accountability,' supporting concepts such as 'least privilege access,' 'segregation of duties,' and 'individual accountability.' Authorisation for user access should be based on business necessity, ensuring only authorized individuals can access organisational information assets. This approach safeguards information from unauthorised access, modification, disclosure, or destruction, preserving data accuracy and confidentiality.

Cybersecurity Training

Comprehensive cybersecurity training is vital to raise awareness and mitigate insider threats. All employees, especially those in sales, should undergo mandatory information security training. Authorised third-party users, like outsourced vendors, should also receive training. Training and awareness programs should encompass information security policies and processes, clarifying roles and responsibilities from an information security perspective. Training should cover phishing attacks, emphasising not clicking links from suspicious emails. Conducting mock phishing exercises can reveal vulnerabilities within the organisation, helping address weaknesses and educate employees on best practices.

Backup and Recovery

Data backup and recovery plans are vital for ensuring business continuity and data security. Backup frequency and restoration testing should align with data classification, defined by an information security standard. Backups should be encrypted, with a log of restored data maintained. The number of backup sets should be determined by the information's criticality. Testing the ability to restore data should involve dedicated test media to avoid overwriting original media, safeguarding against irreparable data damage or loss.

Threat Detection

A Security Operations Centre plays a pivotal role in real-time monitoring and threat detection. Swift responses to security incidents, along with immediate reporting to regulatory authorities like CERT-IN and IRDAI, are essential for protecting investor information. Real-time monitoring generates alerts for the Security Operations Centre, acting as a continuous surveillance system for information security threats.

Transparency

Maintaining transparent communication during data breaches is imperative. According to the DPDP Act, a personal data breach encompasses unauthorised processing, accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data. In such cases, data fiduciaries must inform the Data Protection Board and affected data principals as prescribed by the Central Government. Additionally, incidents must be reported to CERT-IN within six hours if they meet certain criteria, besides notifying IRDAI. Timely disclosure, coupled with swift remediation, helps maintain trust and meet legal obligations.

Insurance Products

Cybersecurity insurance policies offer a critical layer of protection against data risks. These policies cover financial losses resulting from cyberattacks, data breaches, and fraudulent activities. As businesses increasingly rely on the digital realm, the threat of cybercrimes grows. Cyber insurance policies provide peace of mind, safeguarding against a range of cyber threats. They encompass risks related to IT infrastructure, information governance, and information policy—areas often not covered by traditional insurance products. With cyber insurance in place, organizations and individuals gain a safety net against the rising tide of cyber threats, bolstering their resilience in the face of evolving risks.

In conclusion, adopting a comprehensive approach to data risk mitigation is essential for the insurance industry. Compliance with legal frameworks, robust security measures, employee awareness, and cyber insurance all contribute to safeguarding customer information and maintaining trust in this evolving landscape.

The author of the article is Mr. Conjeevaram Baradhwaj, Executive Vice President (Legal & Compliance) & Company Secretary at Future Generali India Life Insurance Company Ltd. Views expressed in this article are personal and does not necessarily reflect the views of the Company.