Protecting member data
Regulatory -
In an era where data breaches and cyber threats are on the rise, TAL is committed to safeguarding the data of our partners and their members. At last week’s ASFA conference in Sydney, TAL Chief Risk Officer Cameron Pelling joined a panel of experts – including David Geber, Rest General Manager of Information Security & Risk – to discuss TAL’s journey to effectively manage risk while ensuring the integrity and security of the sensitive information we deal with.
Building robust defences
Through TAL’s partnerships with superannuation funds, we protect the lives and financial security of more than 4 million Australians and their families. As a third-party provider, our role includes handling huge quantities of member data – and it’s a responsibility we take very seriously.
In many cases, we also need to share this data with fourth-party providers, such as reinsurers or health partners who deliver services to members on our behalf. To maintain trust and ensure data security, our Cyber, IT, Risk and Legal teams conduct extensive due diligence before engaging any service provider.
To combat external threats like cyberattacks from hackers, TAL employs close to 40 cyber specialists who manage several layers of defence mechanisms including firewalls and intrusion detection systems, as well as performing regular security audits to prevent unauthorised data access. As well as our investment in building scale for our own defences, being part of the Dai-ichi Life Group also extends our global cybersecurity capabilities. So, for instance, if a threat emerges overseas, we have greater visibility and can tap into expert support on the ground to understand the risk and develop a swift response.
Embedding a whole-of-organisation risk culture
While external threats are a significant concern, internal threats can be just as dangerous. These threats could stem from employee negligence, such as the mishandling of sensitive information, or intentional actions like data theft or sabotage. At TAL, we ensure information security is embedded across all business practices, making sure all our staff are aware of their obligations to properly classify, secure and manage the information they handle.
We believe that data protection requires a whole-of-organisation approach, underpinned by the support and commitment of the Board and a culture of continuous improvement. Ongoing education of employees at all levels of the organisation is also critical for ensuring that our teams understand the risks associated with holding, storing and transmitting data.
Our focus on building a business-wide risk culture ensures that every employee understands the importance of data protection and their role in maintaining it. We also conduct cyber simulations and bring in external experts to manage potential data breaches, ensuring our teams are equipped to handle any situation.
Secure by design
As part of our approach, we ensure that all our information systems, platforms and digital tools are secure by design. This includes implementing security controls at the earliest phases of the project lifecycle and maintaining assurance mechanisms to monitor their efficacy.
The more data you collect, the greater the potential risks – and as a life insurer, we naturally need to hold some data for many years so we can maintain members’ cover and manage their claims. But we also challenge ourselves to think deeply about the types of data we collect, store, and retain.
For instance, our new Health Scout tool – which is an online survey that helps members learn more about their specific health risks – has been designed with the member’s privacy in mind. When a member engages with the tool, they’re not identified, and their survey responses are completely anonymous. We don’t collect any of their health data and the results don’t affect their cover in any way – and we make this clear to members throughout the process.
A true partnership approach
As a partnership business, maintaining our reputation and the trust of our fund partners is paramount. Through continuous engagement and communication, we ensure that all parties involved in handling member data are aligned with our security objectives and practices. An example of this has been our engagement with our partner community to co-design our response to managing the incoming CPS 230 requirements.
CPS 230 aims to build resilience between insurers and funds to ensure that, in the event of a disruption, all operational risks are effectively managed so we can maintain critical operations. At TAL, we are integrating CPS 230 into our regulatory framework to ensure we meet and exceed the requirements, as part of our operational excellence program. We’re also working with our partners on implementing the changes so we can consistently provide the same level of assurance, while also considering the size, complexity, and business mix of each fund.
As the next step, we’re currently developing an assurance model that will integrate the governance and reporting requirements of both CPS 230 and CPS 234. Our aim is to give our partners additional confidence in the control environment supporting our critical operations, and we’ll share further details as this work progresses.
When it comes to protecting member data, collaboration and transparency are key. TAL’s information security experts will continue to work closely with their fund partner counterparts so we can further strengthen our collective defences, identify any emerging threats, and ultimately drive a better member experience.