Insurance companies know how to protect their clients’ homes, cars, and businesses— but protecting the personal information of those customers is a bit harder to assure.
While the insurance industry focuses on risk-based analyses for its own underwriting programs, firms also need to apply those same risk management processes to securing customer information.
What Kinds of Protected Data Do Insurance Professionals Collect?
The National Association of Insurance Commissioners (NAIC) established a model law for governing cybersecurity risks in the insurance industry.
According to a recent study from the NAIC, the core risks facing an insurance company are, “underwriting, credit, market, operational, liquidity risks, etc.” The study also lists the types of data that must be protected via risk management, and classifies such data as “nonpublic” information.
Types of Protected Data
- Social Security number
- Driver’s license number or non-driver ID number
- Account number, credit card, or debit card number
- Security code, access code, or password that enables a consumer to access an account at a financial institution
- Biometric records
- Information obtained from a healthcare provider regarding a customer’s past, present, or future physical, mental, or behavioral health or condition; or any such information about a customer’s family members
- Information obtained from a healthcare provider regarding care provided to the customer
- Information obtained from a healthcare provider about payment for the provided care
- Any business information that can materially affect a business in an adverse manner
In short, almost all the information that helps an insurance company determine the premium for a consumer’s insurance policy is nonpublic, and should be protected.
NAIC Best Practices for Risk Assessment
A risk assessment is an assessment of all the potential risks to your organization’s ability to do business. These include project risks, function risks, enterprise risks, inherent risks, and control risks.
For insurance companies this should be nothing new; the goal of any insurance underwriter is to properly assess risk by applying actuarial science to assign a monetary value required to properly insure against that risk.
They must not, however, make the mistake of believing that risk management is only valid where their customers are concerned. Insurers must protect themselves as well.
Insurers collect a variety of personal data that cybercriminals can leverage to commit fraud and various other crimes. Thus, proper risk assessment and management are extremely important for this industry.
The NAIC has listed five steps to perform an effective risk assessment.
Step 1: Designate a Risk Manager
The risk manager can be an employee, several employees, or a vendor responsible for the overarching information security program.
Step 2: Identify Reasonably Foreseeable Internal and External Threats
These threats arise from potential unauthorized access, transmission, disclosure, misuse, alteration, or destruction of the protected information. Moreover, the threats identified need to incorporate those from internal systems or third-party service providers.
Step 3: Assess the Likelihood and Estimate Damage
Considering the private nature of the information that insurance companies collect, they must assess the likelihood that cybercriminals will target the company’s databases and estimate potential financial, reputational, and legal risks.
Step 4: Review Current Policies, Procedures, Systems, and Safeguards
Determine how well the current controls protect data; this provides insight into additional cybersecurity needs. When reviewing information systems, insurance companies need to look at all aspects of their controls. To do this, they must review and assess network and software designs first.
They also need to assess the risks posed by their current information classification, governance, processing, storage, transmission, and disposal procedures. Moreover, they need to understand how well their current detection, protection, and response processes secure the information from attacks, intrusions, and system failures.
Finally, they need to assure continuous, relevant training for employees and managers.
Step 5: Implement Procedures and Safeguards
Once you identify shortcomings in your cybersecurity controls, implement mitigation measures as necessary to reduce the risk to whatever tolerance has been defined by your board.
Beyond that, remember: the effectiveness of cybersecurity controls will change as insurance companies incorporate new technologies and as cybercriminals evolve their threat methodologies. So insurance firms should re-perform their risk assessment at least once a year to assure continued control effectiveness.
How Does Risk Management Differ From Risk Assessment?
The risk assessment measures various risks and helps an insurance company define the ones that are most significant. Enterprise risk management (ERM) for insurance companies means monitoring and updating controls for mitigated or accepted risks, unless the company decides to engage in a risk transfer.
Steps to Risk Management for Insurance Professionals
Insurance firms face cybersecurity regulation at the state and national level, plus extensive security expectations from the banks that work with insurance firms. Adding more complications, state-level security regulation will be mostly similar, but not identical, across all jurisdictions.
When insurance companies and claims adjusters properly manage risk, it gives them an advantage — not only by providing loss control against costly data breaches, but also by protecting insurance brokers from compliance violations and enhancing their credibility with clients looking for insurance products that can protect the things most precious to them.
NAIC sets out five steps to risk management for insurance companies.
Step 1: Design an Information Security Program
An information security program should be appropriate for the insurance professional’s size and complexity. As part of the ERM approach, a company may choose to mitigate the risks itself or transfer the risk to a vendor. If the company outsources services, however, it needs to assure that the outsourcing partner also protects sensitive information.
Step 2: Choose Appropriate Security Controls
Similar to other prescriptive standards, the NAIC offers a series of controls that can help guide actuaries. The 11 controls used by risk analysts are:
- Create authentication and access controls
- Identify critical data, personnel, devices, information technology (IT) systems, and facilities
- Restrict physical access
- Incorporate at-rest and in-transit encryption
- Adopt secure software development practices
- Modify the information systems to maintain compliance with the security program
- Incorporate controls, such as multi-factor authentication, for access
- Test and monitor systems and procedures regularly
- Create audit trails to detect and respond to cybersecurity events that enable reconstruction of material financial transactions
- Implement measures to protect against destruction, loss, or damage from natural disasters, fire, and water damage, or technological failures
- Create secure disposal and records retention procedures
Step 3: Cybersecurity in ERM
Although the NAIC appears to create an ERM-based approach to cybersecurity, the model law specifies that the enterprise risk management process should incorporate information security.
Step 4: Stay Informed
This risk management procedure focuses on sharing information about emerging threats and vulnerabilities. As part of continuous monitoring, insurance companies should be aware of new threat vectors. As part of informing internal and external stakeholders, they need to establish clear communication procedures.
Step 5: Cybersecurity Training
The model law focuses on both initial training and continued, updated training to reflect new risks to the data ecosystem and environment. Repeating the “stay informed” procedure highlights the importance of employee cyber awareness.
How ZenGRC Connects Risk Management & Insurance
With the amount of personal information collected by insurance agents, cybersecurity risk management should be as high of a priority as everyday business administration.
That said, traditional tools like shared calendars for task assignments and emails for discussions take the time that could be better spent monitoring cybersecurity. Maintaining an effective information security program requires an efficient workflow tool to coordinate communication and task management across internal stakeholders.
This is true for all types of insurance players: financial services, life insurance, health insurance, or property and casualty insurance services.
ZenGRC provides insurance compliance software that allows you to prioritize tasks. Everyone knows what to do and when to do it, so that you can maintain records until the time you need to dispose of them.
With our workflow tagging, you can assign tasks to the individuals in your organization responsible for the activities involved in cyber risk management.
Finally, with our audit trail capabilities, you can document remediation activities to prove that you maintained data confidentiality, integrity, and availability as required by law.
For more information about how ZenGRC can streamline your GRC process, schedule a demo today.