When the lockdown was announced, a slew of insurance reports pointed out that cyber and data security would the biggest risk for India Inc. It is these same risks that have now increased costs for insurers.
Since March 25, when the entire country moved to a remote working setup due to the Coronavirus-induced lockdown, insurance companies have had to be doubly sure their systems are equipped to handle data securely.
The biggest risks were unauthorised persons entering the system or attempts to steal customer data. Six months on, work from home is the new normal and insurers, while trying to keep data safe, are seeing costs rise by close to 20 percent due to the new work setting.
Typically, insurers spend between Rs 80 crore-120 crore per year, depending on their size, on their IT/technology expenses. Of this, 15-20 percent goes into security costs alone.
Now, additional expenses are being incurred because employees have been using their own devices at home.
Insurers deal with customers’ private data, including name, address, identity documents, medical data and salary details. If this is procured by a third-party, it could be used for criminal activities or even sold to marketing firms.
Insurance regulator IRDAI has directed companies to adhere to a higher degree of compliance and ensure that there are no cyber security risks during the work-from-home period.
Why are the costs going up?
In a bid to ensure that customer data is protected and no third-party gets access to information from the servers, insurers have added multiple layers of security.
“There are additional licences required to get into the system remotely. There is a 10-15 percent additional impact on overall security costs due to this,” said Goutam Datta, Chief Information & Digital Officer at Bajaj Allianz Life Insurance.
This costs more than regular office IT tools because each of these technological processes has specific licences that need to be purchased prior to use.
Kiran Belsekar, Vice President, Information Security, Aegon Life Insurance, said that security controls have to be established at the data classification, storage and transfer stage to ensure that loss/leakage is avoided and privacy is maintained while data flows over remote networks.
“The compliance cost for network security, cloud security, secure access, data protection, endpoint compliance, awareness and monitoring has increased. Every attack starts on the endpoint, hence ensuring compliance of edge devices is essential,” added Belsekar.
Even basics like antivirus software needs to be of an advanced level when employees are working from home. For insurers, anyone, including past employees, competitors or even hackers, could be looking to steal customer data.
Dr Shreeraj Deshpande, Chief Operating Officer, Future Generali India Insurance said that the company has invested in buying VDI tools, broadband, safe network connections and secure login systems, among others.
“Some companies may say it has raised their compliance costs, but we firmly believe it is an investment for better work practices in the long term,” said Deshpande.
What various insurers are doing
Vishal Shah, Head, Data Sciences, Digit Insurance, said that his company has implemented a DLP (Data Loss Prevention) agent on each laptop. DLP refers to a set of processes and technology tools used to ensure that sensitive data is not lost, misused, or accessed by unauthorised users.
The company is also 100 percent on the cloud and all Digit Insurance applications are hosted on the cloud server with a VPN setup, which enables employees to work remotely amid the ongoing pandemic.
Similarly, at Aegon Life, the insurer has deployed security controls to ensure that data is neither lost nor stolen. Belsekar said that there is also a Virtual Desktop Interface (VDI), Secure Internet Access, and Advanced Threat Protection (ATP) for email and computing infrastructure.
Shanai Ghosh, Executive Director & CEO, Edelweiss General Insurance, said that the insurer has implemented a ‘Zero Trust Security’ framework, requiring strict identity verification for each user and device attempting to access resources on a private network, regardless of whether they are within or outside the network perimeter.
Here, the entire application portfolio, including the insurer’s security console, is hosted on the cloud. This, said Ghosh, enables the insurer to control IT infrastructure costs in an efficient manner.
Some best practices
The lockdown and remote working have also put in place a set of best practices. Insurers said that even when offices reopen, these security measures would be part of the new normal.
Future Generali India’s Deshpande said that using a virtual private network (VPN) on the work device before connecting to your home network should be a standard practice followed by everyone.
Deshpande’s company has added a layer of security by incorporating the Two-Factor Authentication process. Deshpande said that if employees are using their laptops, they get access to the server only through virtual desktops.
Further, the company has also installed multiple patches (code changes) and uses the DLP tool to ensure all information is secure.
At Bajaj Allianz Life Insurance, the server cannot be accessed from a personal computer or laptop. Datta told Moneycontrol that the personal device is connected to a virtual PC and this virtual system takes the user to the central server.
“Even if an employee tries to download something from the server, it will show only on the virtual PC and not their personal device. This was put into effect from March 23, when remote working was started at the company,” he added.