Insurance companies know how to insure their clients’ homes, cars, and businesses, but they may find it difficult to ensure that the information they collect remains secure. While the insurance industry focuses on risk-based analyses for premiums, it needs to focus internally and use those same risk management processes for securing customer information.
Risk Management Process For Insurance Professionals
What kinds of protected data do insurance professionals collect?
In 2017, the National Association of Insurance Commissioners (NAIC) established a model law for governing cybersecurity in the industry. Although not enforceable until individual states ratify it, the model law sets forth current best practices. The model law uses the term “nonpublic” information as a catchall phrase for the data that companies need to protect.
This information includes:
- social security number
- driver’s license number or non-driver ID number
- Account number, credit card, or debit card number
- security code, access code, or password that enables a consumer to access an account at a financial instution
- biometric records
- information obtained from a healthcare provider regarding past, present, or future physical, mental, or behavioral health or condition about a consumer or consumer’s family member
- information obtained from a healthcare provider regarding care provided to the consumer
- information obtained from healthcare provider about payment for the provided care
- any business information that can materially impact a business in an adverse manner
In short, almost all the information that helps an insurance company determine the premium for a consumer’s insurance policy is nonpublic.
What kind of risk assessment is necessary?
NAIC listed five steps to engaging in a risk assessment.
Designate a risk manager
The risk manager can be an employee, several employees, or a vendor responsible for the overarching information security program.
Identify reasonably foreseeable internal and external threats
These threats arise from potential unauthorized access, transmission, disclosure, misuse, alteration, or destruction of the protected information. Moreover, the threats identified need to incorporate those from internal systems or third-party service providers.
Assess likelihood and estimate damage
Considering the private nature of the information that insurance companies collect, they need to assess the likelihood that cybercriminals will target the databases as well as estimate potential financial, reputational, and legal risks.
Review current policies, procedures, systems, and safeguards
Determining how well the current controls protect data provides insight into additional cybersecurity needs. When reviewing their information systems, insurance companies need to look at all aspects of their controls. To do this, they must review and assess network and software designs first. However, they also need to assess the risks that their current information classification, governance, processing, storage, transmission, and disposal procedures pose. Moreover, they need to understand how well their current detection, protection, and responses processes secure the information from attacks, intrusions, and system failures. Finally, they need to ensure continuous, relevant employee and management training.
Information security control effectiveness changes as insurance companies incorporate new technologies and as cybercriminals evolve their threat methodologies. Thus, they need to engage in the risk assessment at least once a year to ensure continued control effectiveness.
How is risk management different from the risk assessment?
The risk assessment indicates various risks and helps an insurance company define the ones that are most significant. However, enterprise risk management (ERM) for insurance companies means monitoring and updating controls for mitigated or accepted risks unless the company decides to engage in a risk transfer. NAIC set out five steps to risk management for insurance companies.
Design an Information Security Program
An information security program should be appropriate for the insurance professional’s size and complexity. As part of the ERM approach, a company may choose to mitigate the risks itself or transfer the risk to a vendor. However, in the event that the company outsources services, it needs to ensure that that third-party also protects sensitive information.
Choose Appropriate Security Controls
Similar to other prescriptive standards, NAIC listed a series of controls that can help guide insurance professionals. The eleven controls are:
- Create authentication and access controls
- Identify critical data, personnel, devices, systems, and facilities
- Restrict physical access
- Incorporate at-rest and in-transit encryption
- Adopt secure software development practices
- Modify the information systems to maintain compliance with the security program
- Incorporate controls, such as multi-factor authentication, for access
- Test and monitor systems and procedures regularly
- Create audit trails to detect and respond to cybersecurity events that enable reconstruction of material financial transactions
- Implement measure to protect against destruction, loss, or damage from natural disasters, fire, and water damage or technological failures
- Create secure disposal and records retention procedures
Cybersecurity in ERM
Although NAIC appears to create an ERM based approach to cybersecurity, the model law specifies that the enterprise risk management process should incorporate information security.
Rolling together continuous monitoring with training, this risk management procedure focuses on sharing information about emerging threats and vulnerabilities. As part of continuous monitoring, insurance companies should be aware of new threat vectors. As part of informing internal and external stakeholders, they need to establish clear communications.
The model law focuses on both initial training and continued updated training to reflect new risks to the data ecosystem and environment. Repeating the “stay informed” procedure, this highlights the importance of employee cyber awareness.
How ZenGRC Enables Cyber Risk Management for Insurance Companies
With the amount of personal information collected in insurance, risk management should be a priority. Companies need a way to enable communication with internal and external stakeholders. Traditional tools like shared calendars for task assignment and emails for discussions take the time that could be better spent monitoring cybersecurity.
Maintaining an effective information security program requires an efficient workflow tool to coordinate communication and task management across internal stakeholders.
ZenGRC allows you to prioritize tasks so that everyone knows what to do and when to do it so that you can maintain records – up until the time you need to dispose of them.
With our workflow tagging, you can assign tasks to the individuals in your organization responsible for the activities involved in cyber risk management.
Finally, with our audit trail capabilities, you can document remediation activities to prove that you maintained data confidentiality, integrity, and availability as required by law.
For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.