Generative AI (Gen AI) presents many opportunities for insurance organizations. However, in insurance, where business relies on effectively handling personal data, Gen AI also
Data residency refers to the location geographically where data is stored and processed. With regards to data residency, insurers must ensure that customers' data remains protected and within insurers' control, or it could have significant implications for compliance, security, and customer trust. This is often done through the use of virtual private clouds (VPCs), which provide isolated network resources that mimic an on-premises data center, or on-premises solutions. This need for protection becomes even more essential with the introduction of Gen AI.
When Gen AI runs within an insurer's own tech stack, either hosted in a VPC or on-premises, it keeps customers' data under the organization's oversight. However, when Gen AI operates in a multi-tenant public cloud, such as AWS, Google Cloud Platform (GCP) or Microsoft Azure, risks are introduced since these solutions process data in shared environments. While these options offer scalable and cost-effective ways for deploying Gen AI, they can not only raise issues with security, but can often lead to insurance organizations having limited visibility as to where customers' sensitive information may travel.
For example, consider the journey of a query. Data is pulled from an insurer's knowledge base and then fed into a large language model (LLM) to deliver a response. If the LLM is not under the insurer's control, the organization is possibly exposing customers' PII to third parties. This data could include names, email addresses, account numbers and social security numbers. Given the varying AI regulations emerging, this is a significant red flag - never mind the broader implications from potential bad actors.
This is made even more complicated when feeding customers' data into an LLM from unstructured sources like SharePoint, Dynamics, Salesforce, and PDFs. When this is done within a public cloud-hosted LLM, additional issues can arise with data flow, storage and compliance.
Controlling where customer data is stored when leveraging Gen AI enables insurance businesses to more effectively protect themselves from unauthorized access and cyber threats, and safeguard customers' personal information.
How can insurance organizations best navigate this? The following recommendations include some best practices to consider:
- Enterprise LLMs: Insurance businesses should opt for self-hosted or private LLM instances where they have total control over the data flow. This presents the highest level of security.
- Data processing agreements (DPAs): If an insurer must use external LLM providers, they need to make sure robust DPAs are in place. These contracts should explicitly outline data handling and compliance commitments.
- Data anonymization: Where possible, insurance organizations should anonymize or pseudonymize customers' PII data before it ever reaches the LLM. This is a strong first line of defense.
- Access controls: Insurance businesses should implement strict access controls. Only those who need to input or retrieve sensitive information – like customers' PII – from the system should be able to do that. There are some solutions available that not only enable insurers to have the right access controls in place, but they also intercept prompts containing PII before they reach the LLM and provide meaningful answers while ensuring PII exclusion from LLM processing, providing an extra layer of privacy and control.
- Audit and monitoring: Insurers should regularly review logs and policies. Continuous monitoring is essential to catch any potential compliance breaches.
Data governance is paramount to preventing data leaks internally and externally. With the appropriate protections in place, Gen AI can empower insurance companies with the insights they need while keeping an organization's and customers' data safe and compliant.
