The Regulatory Burden

The insurance industry is primarily regulated by state insurance commissioners and the National Association of Insurance Commissioners model security law.

Insurance professionals face cybersecurity regulation at the state and national level, along with extensive security expectations from the banks that work with them.

Adding more complications, state-level security regulation will be mostly similar, but not identical, across all jurisdictions.

This amounts to several frameworks that insurance firms are expected to comply with and leverage to build a comprehensive cybersecurity program. This is often far too complex to be achieved through manual processes and spreadsheets.

Instead, insurance companies require compliance management software to streamline task management, automate workflow management and coordinate communication across stakeholders.

Man holding a model of a house in his hands

A Framework for Cybersecurity Success

The NAIC model security law lists 13 pieces of information firms need to report to state insurance regulators after a breach. It includes details such as how the breach was discovered and whether a police report was filed.

Additionally, large insurance firms that do business in the state of New York must comply with the New York Department of Financial Services cybersecurity regulation known as Part 500. The DFS rule requires encryption, access controls, penetration testing, incident response plans and annual compliance certification.

Furthermore, like any other large business, insurers face all the usual requirements to protect personal information under rules such as HIPAA, GDPR, the Gramm-Leach-Bliley Act and state consumer protection laws.

Manage Compliance and Risk with Confidence and Ease

The sheer quantity of personal data collected by insurance agencies makes them a prime target for operational risk. Managing that risk is as critical to their success as day-to-day administration.

The Reciprocity® ZenGRC® platform delivers an insurance compliance solution that empowers insurers to assess their cyber risks and prioritize risk mitigation strategies for the most severe risks first.

Compliance officers can use the ZenGRC software solution to assign compliance management tasks to the appropriate individuals assigned to each cyber risk with workflow tagging.

And with the ZenGRC compliance software, audit trail functionality helps insurers document their risk mitigation activities and security controls used to maintain data integrity, confidentiality and availability as mandated by their regulatory compliance obligations.

3D pie chart and bar graphs

Compliance Objectives

Given the overlapping thicket of regulations that apply to the sector, a solid ability to perform risk assessments, rack remediation, and organize documentation that maps to various frameworks is critical.

ZenGRC can empower insurance agencies to better manage the compliance process, so they can focus on mission-critical tasks that grow the business.

With ZenGRC insurance compliance software, you can leverage automation and framework templates to:

  • Assess your data privacy and cybersecurity breach detection requirements
  • Develop documentation and assurance mechanisms so senior officers certifying compliance can do so with confidence
  • Ensure that remediation tasks are assigned appropriately and executed on a timely basis
  • Identify security gaps that must be filled to meet regulatory requirements
  • Monitor third parties that have access to confidential data and assess their security postures
  • Understand and respond to any new regulations that emerge

Driving Greater Information Security in Digital Healthcare

Omada Health is one of the largest digital healthcare practitioners globally, serving some 1,200 businesses and over 400,000 individuals since its inception in 2011.

However, they were struggling to manage their risks. Omada Health’s risk and compliance managers were using spreadsheets to track controls and compliance activities and those of its more than 250 vendors.

On top of that, they didn’t have a single repository from which they could see gaps across frameworks, nor did they have a standard way of doing a risk assessment. The process was confusing, time-consuming, frustrating, and ineffective.

Read on to find out how ZenGRC helped Omada Health complete its first comprehensive risk assessment, correct deficiencies, and fill gaps to become compliant with a number of critical security frameworks, including HITRUST and SOC 2.

ZenGRC Omada case study

See why Information security is top-of-mind for healthcare providers

Choose the product that suits you

Compliance
Reciprocity ZenComply

Accelerate your compliance programs and see how they impact your risk posture.

Group 3485
Reciprocity ZenRisk

Gain contextual insight on your risk posture to mitigate business exposure.

Frequently Asked Questions

The National Association of Insurance Commissioners (NAIC) has determined that types of protected data include:

  • Social Security numbers
  • Driver’s license numbers
  • Banking account data, credit or debit card numbers
  • Security codes, passwords, etc
  • Biometric data
  • Healthcare information
  • Any data that can materially impact a business in an adverse way

In other words, nearly any data that helps a company determine insurance coverage or calculate the premium for a consumer’s insurance policy should be protected.

The NAIC had designated five critical steps to perform an effective risk assessment.

Step 1: Designate a Risk Manager

Step 2: Identify Reasonably Foreseeable Internal and External Threats

Step 3: Assess the Likelihood and Estimate Damage

Step 4: Review Current Policies, Procedures, Systems, and Safeguards

Step 5: Implement Procedures and Safeguards

Risk assessments measure various risks and help insurance companies determine which risks are the most severe, and thus, should be prioritized.

On the other hand, Enterprise Risk Management (ERM) for insurance companies encompasses implementing, managing and monitoring security controls for mitigated or acceptable risks.