Why CISOs are the new champions of insurance transformation


The insurance industry's business model is rapidly evolving as the latest consumer and business technologies deliver greater quantities of real-time data than ever before. McKinsey predicts that by 2030, processes like underwriting as we know it will cease to exist — machine and deep learning models will automate policies and reduce delivery time to seconds. The rapid adoption of new tools, infrastructure, and talent will certainly influence underwriting, pricing, claims, distribution, and other core components of the insurance industry. The accumulation of system generated data will also help insurers better understand their customers’ preferences, habits, and risks — and thus support a more intelligent level of service and a more holistic product offering.

As with all technology advancements, however, there are additional risks to monitor and mitigate. What does this technological progression mean for insurance CISOs? New opportunities to guide the transformation are on the horizon.

[Related article: How top global CISOs protect their organizations amid rising threats]

Changing the way insurance connects with customers

Advancements in wearables and IoT data have benefited health insurers who grant rebates based on data indicating healthy lifestyle choices and theoretically reduce losses for the carrier. Auto insurers and customers are also likely to soon benefit from the connected vehicles ecosystem, which may derive behavior-based pricing based on driving style ("pay how you drive") or vehicle use ("pay as you drive") to give policyholders attractive opportunities to save.

As carriers look toward the future and aim to be more customer-centric, many leading insurers are exploring the appetite to not just price and compensate for risk but also to prevent it altogether. Adjacent to coverage policies, insurers are looking to provide services such as cyber and risk engineers, who can help prevent disasters before they even occur. Products offered by insurers or partners can help detect conditions in customers’ homes that may signal a leak or break-in. The same logic applies to health insurers who may leverage the data collected through wearables to warn of conditions that may signal a need to see a doctor.

Enabling technical evolution, securely

As the insurance industry becomes more sophisticated, the volume of sensitive data generated, streamed, stored, and utilized increases exponentially. For data and information security leaders within insurance, this poses an important question about how the information is created, protected, and used. Insurers are already huge targets for cybercriminals, given the volume of sensitive financial or medical data they manage. This will only increase as carriers collect more information on customer profiles, habits, and preferences. Like other regulated industries, abiding by regulations and obtaining customers' trust is paramount to any digital evolution.

This creates a massive opportunity for the CISO as an enabler of evolution. Since security will be top of mind for any transformation effort, security leaders have the chance to set best practices and implement new tools and processes that drive greater comfort for the company, clients, partners, and regulators. Consolidating legacy tools will undoubtedly be top of mind as CISOs consider more intelligent next-generation security tools with built-in machine learning to help detect unusual patterns, especially as new vendors and applications are onboarded. 

[Related article: Leveraging Elastic to improve data management and observability in the cloud]

Driving third-party governance

As insurers increasingly rely on third parties to supply the products, services, or intelligence to improve their offerings, CISOs will continue to play a more significant role in vendor selection and implementation. In a recent ThoughtLab survey sponsored by Elastic, 34% of CISOs in insurance have expanded their roles to take on vendor, third-party, and supply chain management. This likely increases as legacy insurers depend on and partner with insurtechs to maximize offerings across the value chain.

CISOs will play an ever-important role (in collaboration with legal and compliance) in defining best practices for third-party risk assessments, due diligence, and access controls. Contracts representing the reporting of breaches or incidents are critical to ensuring the ecosystem's health. When vendors are offboarded, provisions must be set to ensure it is done cleanly, with all data being accounted for and access controls being revoked.

Setting the pace of innovation 

The CISO, in partnerships with CIOs, CDOs, and CTOs, will be instrumental in setting the pace of digital transformation. According to the survey, 41% of insurance CISOs are getting more involved in product development. With an immediate seat at the table, CISOs can give other senior leaders in the organization confidence that new digital journeys and applications can go to market securely.

Additionally, as IoT and new applications continue to be top of mind across the industry, the CISO is a critical partner in defining who gets access to essential but sensitive new user and system-generated data. By working with their technology partners to align on common tools for monitoring and securing critical systems, CISOs will have greater confidence in their ecosystem. This will enable their teams to detect, identify, and remediate threats while giving their technology partners the ability to ensure the health, performance, and compliance of critical systems that power the business and serve their customers. Utilizing data and security tools with multi-tenancy and field-level security tied to RBAC and ABAC can help carriers meet compliance mandates like GDPR, HIPAA, and CCPA, and abide by standards of governing bodies such as the National Association of Insurance Commissioners (NAIC).

The path forward

With the digital ecosystem evolving so quickly, CISOs within insurance are focused on working together to ensure the greater health of the ecosystem. That's why many security leaders are increasingly looking at the concept of open security — a methodology that shifts the dynamic of a security company's relationship with its customer and has the potential to transform the cybersecurity industry by bringing security practitioners together to create a more resilient response to enterprise threats. 

Stay up to date and learn more about Elastic and Insurance.