The current trend in information security insurance company conversations focus on cybersecurity policies, but the compliance officers in the insurance compliance
officer also oversees the company’s information security stance. As more information becomes digitized, the data insurance companies collect to set premiums, collect payments, and pay claims increasingly pose data security risks.
Insurance Compliance Officer Role & Responsibilities
What information do insurers collect?
The term “insurance” covers a wide array of products. Healthcare, auto, home, life, and general liability services are only the very tip of the proverbial iceberg. These various insurance products collect a variety of personal information that insurers must collect which implicates a variety of information security compliance requirements. For example, healthcare insurance providers must maintain Health Insurance Portability and Accessibility Act (HIPAA)
compliance. Meanwhile, home and life insurance products collect information like birth dates, social security numbers, and account details.
However, the data collected from customers only touches upon a small amount of the information that insurance companies need to protect. An insurance company payroll department needs to maintain Payment Card Industry Data Security Standard (PCI DSS)
compliance to pay employees while a claims department may be paying an accident victim through a payment vendor.
What threats currently affect the insurance industry?
In November 2017, Accenture outlined the current threats facing the insurance industry
. Among the alarming statistics were the following
- The typical insurance company faces an average of 113 targeted breach attempts per year.
- Only 79% of cybersecurity executives at large insurance companies felt confident in their strategies
- 61% of insurers noted they took months to detect successful breaches
- 34% of insurers said they had proper cyber incident response protocols
- Internal security teams only discover 66% of successful breaches.
These problematic numbers show a hypocritical disconnect between insurers and their cyber insurance insureds. Based on this information, most insurers likely wouldn’t insure their own companies, at least not for a reasonable premium.
What threats affect mid-sized insurance companies?
Theoretically, the threats facing mid-market insurance companies are the same as their larger brethren. Realistically, these companies lack resources available to their larger business competitors because they have less money to spend on security. According to an Arctic Wolf report
, 72% of mid-market IT professionals felt their roles incorporated too many different areas leading to an inability to focus on security. In addition, 50% of the individuals who responded the security was too complex and 51% felt that they needed more resources.
Large insurance companies manage large IT departments. They also have an entire compliance department, not just a single compliance officer.
What types of risk management options enable insurance companies?
Information security risk management means identifying, understanding, assessing, and mitigating risks. Typically, companies follow five deceivingly “simple” steps as part of the risk management process.
1.Catalog data assets
Before beginning any risk management process, you need to identify the types of information that you collect and store. In some cases, the information poses a high financial risk to your company. This information includes personal information such as name, birth date, social security number, account information, or IP addresses.
2. Identify data storage and transmission systems, networks, and applications
Not only does your insurance company collect information, but it stores and shares it in a variety of ways. You may be using a cloud storage solution to enable backup and recovery. Perhaps you use a shared cloud drive to allow access across internal stakeholders. You may also run a web-based platform that allows your customers to review their account information. Some information may be stored on local devices while other information is stored off-premises.
3. Identify threats to the information, systems, networks, and applications
Threats to your information, systems, networks, and applications can be internal or external. Internally, an employee might accidentally (or maliciously) alter information. You also need to review the external threats to your systems and networks. If you’re using a web-based application you need to ensure the appropriate encryption and mitigate web-based attacks like SQL injections and cross-site scripting. Additionally, malicious actors increasing insert malware and ransomware into browsers and systems to hold information hostage.
4. Establish controls to protect the integrity, accessibility, and confidentiality of information
Establishing controls means putting features in place to help protect information. Once you’ve considered all the ways that someone can compromise your data environment, you need to put up walls that keep intruders out. For example, to protect data from an internal compromise, you need to focus on user access using role-based authentication. For external threats, you need to ensure appropriate firewall configurations, encryption methods, and endpoint security.
5. Monitor the controls’ effectiveness
Threats to your data environment evolve continuously. As companies incorporate new protections, malicious actors find new ways to exploit them. A control that protects you today may not protect you tomorrow. To ensure not only security but compliance as well, companies need to focus on monitoring their environment all the time, not just during a once-per-year audit.
How ZenGRC Enables Continuous Compliance in the Insurance Industry
Insurance companies suffer from the burden of providing a variety of services that collect a myriad of data. Customer information and employee information need to be stored with equal security, but underwriting and payroll may never speak to one another. Moreover, different lines of coverage require different information and may use different vendors as part of their business operations. Enabling a single source for data collection and communication allows insurance compliance
officers to more efficiently monitor their cybersecurity posture.
ZenGRC’s System-of-Record makes collecting audit information easy. By streamlining the workflow, organizations can eliminate emails while tracing outstanding tasks. Additionally, the unified control management feature allows organizations to map controls across multiple frameworks, standards, and regulations to determine whether compliance gaps exist. This mapping capability enables organizations to ensure consistency that leads to stronger audit outcomes.
For example, as part of the System-of-Record dashboard, organizations have at-a-glance insight into the percentage of controls finalized and a portion of controls mapped to a particular framework.
ZenGRC’s streamlined workflow shows task managers the date on which a vendor provided a response and a status. These details mean that compliance managers no longer need to spend time following up with the organization’s multitudinous vendors.
GRC automation enables organizations to focus on the fundamental issues of compliance while eliminating the tedious tasks that often make compliance feel like a burden. Not only does this help compliance officers feel more effective at their jobs, it also makes organizations more efficient at the ongoing task of governance and continuous monitoring.
For more information about how ZenGRC can streamline your GRC process, contact us for a demo today