Data collection presents significant risks

INSURERS, like other companies collecting large amounts of personal information, must think hard about risks associated with data collection, a cyber security expert at KPMG has warned.

Advisory partner John Heaton noted that insurance companies hold valuable customer information such as credit card and driver’s licence numbers and home addresses — all of which can be used for identity theft.

He said the important question companies must ask is: ‘How important is that data?’

“Companies tend to be focused on the technology aspect, encrypt the data and come up with a technology-based solution, but how valuable is the data to the company versus to someone else,” Mr. Heaton told Thompson’s. “Do the threats and risks cost more than the data is worth?”

For example, credit card information is often used for analytical purposes but storing that information long-term is not always needed.

“Management needs to make a conscious decision and what is the benefit and cost of having that data and how long to keep it and at what level of detail,” Mr. Heaton said.

All insurers are vulnerable to cyber threats but the size of the risk doesn’t correlate with the size of the company.

“The size of the risk is driven by management and the board asking more about cyber and how the company is protecting data and how,” Mr. Heaton said. “Management needs to be driven top-down and how to protect the data is a management issue, to identify what are an organization’s security gaps.”

He said the good news is companies are better prepared and more cyber risk resilient.

The bad news is there will be no end to cyber breaches.

“This is a reality and companies are more prepared because they are being challenged,” Mr. Heaton said.

(More coverage of risks associated with data collection and all things cyber is presented each week in Thompson’s. To subscribe, please choose the ‘Subscribe’ tab on our main page or email mpub@rogers.com).