Insurance Companies: What Customers Expect in Terms of Security

More and more insurance policies are sold online. Here’s what insurance companies should do to ensure the security of sensitive data.

Jan 3, 2022 - 3 min.
Picture of: Sebastian Ulbert
Sebastian Ulbert

Digitalisation has caused a radical upheaval in the insurance industry. Whereas physical files containing customer data used to require shelf after shelf of physical storage space and consultations were mostly conducted in person, by telephone or by post, many insurance policies today are sold online – especially for products that require less consultation such as travel cancellation insurance, car insurance or legal expenses insurance. In the age group of 18- to 64-year-olds, 57 per cent have already purchased such a policy online, as a representative survey conducted by Germany’s digital association, Bitkom revealed. Consequently, insurance companies are accumulating ever-increasing quantities of digital data that must be properly protected – from addresses and account information to details about asset values and health. But what do customers value most when it comes to security? And how can their expectations be met?

To investigate consumer expectations with regard to data security, Nevis and the online market research institute mo'web research conducted a joint survey in March 2021 of 1,000 consumers in Germany aged 14 and above. The topics included personal attitudes towards passwords, acceptance of social logins as a form of Single Sign-on (SSO), and multi-factor authentication. The analysis shows that the fear of cyberattacks is real. Around 95 per cent of those surveyed indicated that they were worried about the security of their private data. Furthermore, some 93 per cent of the study participants who had been spared an attack up to now were concerned about falling victim to cybercriminals in the future.

A large majority (81%) believe that data security is primarily their responsibility. Conversely, just 40 per cent of those surveyed trusted that legislation offers reliable protection against data theft. However, this does not relieve companies of their responsibility: almost half (48 per cent) of the study participants believe that companies must take the necessary steps to protect against cybercrime.

The data protection code of the insurance companies

Consumers, therefore, have clear expectations: they recognise that they themselves have a role to play in securing their data, such as by observing the basic rules about password security. However, they also expect the state and private enterprise to contribute their fair share to combat criminal actions. The German Insurance Association (GDV) presented its own Code of Conduct on the subject back in 2018. Member companies signing up to this code must adhere to the comprehensive privacy and data security regulations.

On the one hand, insurance companies undertake to adhere strictly to the principle of data minimisation regulated by the European Union’s General Data Protection Regulation (GDPR). For policies sold online, only the information required to establish a legally valid agreement can be requested. Policyholders are still free to provide additional information – but only if they explicitly consent to do so.

At the same time, the code of conduct includes a commitment on the part of insurers to take all necessary technical and organisational steps to guarantee an appropriate level of protection for the data entrusted to them.

Specifically, this means that 

  1. Only authorised persons may gain knowledge of personal data (confidentiality). In particular, this shall be achieved through authorisation concepts, pseudonymisation or encryption of personal data.
  2. Personal data must remain intact, complete and up to date during processing (integrity).
  3. Personal data must be made available in a timely manner and be processed properly (availability, resilience).
  4. Personal data can be attributed to their source at any time (authenticity).
  5. It can be ascertained who has entered, transferred and altered what personal data at what time and in which manner (capability of revision).
  6. The procedures used to process personal data have been documented completely and updated in such a way that they can be reconstructed within a reasonable amount of time (transparency).

CIAM as a protective barrier

But what does this type of security architecture look like in practice? It is based on customer identity and access management (CIAM), which combines security functions such as proof of identity with comprehensive user administration.

The CIAM system is the interface between the user who is logging into the system from a computer or a mobile device and the back-end applications of the insurance company. Different user groups can be classified in sensible ways thanks to multi-client capability. For instance, the CIAM user directory can assign different authorisations to private and business customers, brokers, insurance consultants, as well as to business partners and internal employees. To ensure that user data can also be further processed in the insurance company’s other IT systems, these systems are connected by an interface to the CIAM system.

In this scenario, it is important to ensure at all times that the user at the screen is actually the person he or she claims to be. To do this, CIAM solutions rely on identity verification procedures that combine convenience and security during the login. The key component here is the access app, which users can install on their mobile devices. This makes it possible to use the latest, virtually tamper-proof procedures, such as passwordless authentication using fingerprint or facial ID scans.

That is how CIAM forms the backbone of a customer management solution that gives top priority to the security of all the data the customer has entrusted to the company. For insurers, these types of customer management systems are ideal when it comes to meeting user expectations of convenience and security. The CIAM system also builds an effective barrier against cyberattacks and the illegal tapping of sensitive information.


What is CIAM?