The Regulatory Burden
The insurance industry is a target for many types of cyberattacks due to the amount of high value information it manages. Ransomware is a top threat due in part to the details of cyber insurance coverage that can aid in targeting and planning attacks.
Insurance companies also possess a great deal of personally identifiable information (PII) on financial and health information collected as part of the underwriting and claims processes that bad actors can use for fraud and other malicious purposes.
The insurance industry is primarily regulated by state insurance commissioners and the National Association of Insurance Commissioners model security law.
Insurance professionals face cybersecurity regulation at the state and national level, along with extensive security expectations from the banks that work with them.
Adding more complications, state-level security regulation will be mostly similar, but not identical, across all jurisdictions.
This amounts to several frameworks that insurance firms are expected to comply with and leverage to build a comprehensive cybersecurity program. This is often far too complex to be achieved through manual processes and spreadsheets.
Instead, insurance companies require compliance and risk management software to gain a unified view of compliance and risk, automate manual work and communicate the impact of risk to key stakeholders.
A Framework for Cybersecurity Success
The National Association of Insurance Commissioners (NAIC) model security law lists 13 pieces of information firms need to report to state insurance regulators after a breach. It includes details such as how the breach was discovered and whether a police report was filed.
Additionally, large insurance firms that do business in the state of New York must comply with the New York Department of Financial Services cybersecurity regulation known as Part 500. The DFS rule requires encryption, access controls, penetration testing, incident response plans and annual compliance certification.
Manage Compliance and Risk with Confidence and Ease
ZenGRC delivers an insurance risk and compliance management solution that empowers insurers to assess their cyber risks and prioritize risk mitigation strategies for the most severe risks first.
With compliance and security frameworks built-in and maintained by experts along with suggested risk and threat scores and real-time connections between control assessments and risk scoring, Risk and Compliance Officers get a unified, real-time view of risk and compliance and significant efficiency gains to stay ahead of threats, reduce risk and strengthen compliance.
Given the overlapping thicket of regulations that apply to the sector, a solid ability to perform risk assessments, risk remediation, and get real-time updates of your risk and compliance postures along with trends over time.
Our solutions can empower insurance companies to unify the risk, cybersecurity and compliance to get contextual, strategic insight so they can focus on mission-critical tasks that grow the business.
With ZenGRC insurance risk and compliance software, you can leverage automation and framework content to:
- Assess your data privacy and cybersecurity requirements
- Identify security gaps that must be filled to meet regulatory requirements
- Continuously test the effectiveness of controls so you are always audit ready
- Get real-time risk scores that automatically update to surface hidden or changing risk
- Ensure that remediation tasks are assigned appropriately and executed on a timely basis
- Monitor third parties that have access to confidential data and assess their security postures
- Communicate the financial impact of risk to executives and the board
- Understand and respond to any new regulations that emerge
Frequently Asked Questions
What Types of Protected Data Do Insurance Providers Collect?
The National Association of Insurance Commissioners (NAIC) has determined that types of protected data include:
- Social Security numbers
- Driver’s license numbers
- Banking account data, credit or debit card numbers
- Security codes, passwords, etc
- Biometric data
- Healthcare information
- Any data that can materially impact a business in an adverse way
In other words, nearly any data that helps a company determine insurance coverage or calculate the premium for a consumer’s insurance policy should be protected.
How Should Insurance Firms Conduct a Risk Assessment?
The NAIC had designated five critical steps to perform an effective risk assessment.
Step 1: Designate a Risk Manager
Step 2: Identify Reasonably Foreseeable Internal and External Threats
Step 3: Assess the Likelihood and Estimate Damage
Step 4: Review Current Policies, Procedures, Systems, and Safeguards
Step 5: Implement Procedures and Safeguards
What is the Difference Between Risk Management and Risk Assessment?
Risk assessments measure various risks and help insurance companies determine which risks are the most severe, and thus, should be prioritized.
On the other hand, Enterprise Risk Management (ERM) for insurance companies encompasses implementing, managing and monitoring security controls for mitigated or acceptable risks.