Preventing Data Breaches
Scott Stephens | August 17, 2020
Like businesses in most industries today, insurance organizations are facing an unusually high level of uncertainty due to circumstances beyond their control. While our nation currently faces the reality of COVID-19, which has wreaked havoc on the U.S. economy, businesses in every industry need to focus on ways to remain viable.
Certainly, when you outsource the production and delivery of your policyholder communications to a third party, it is important to ensure the provider has the resources and staffing required to manage your work. However, to help you sleep at night, today the most critical thing to ascertain is what security measures they have in place to protect the privacy of the data included in your billing notices, policies, quotes, EOBs, and other communications.
Data breaches have become an unfortunate reality of doing business, with the number of reported breaches increasing by more than 50% in 2019 compared to the previous year. As an industry that processes large amounts of private data, insurance is a prime target for criminal enterprises and malicious insiders. The risk of exposure is even greater for enterprises that outsource their electronic document processing, billing and distribution solutions to a third-party provider. With more U.S. states enacting tighter data breach legislation, prioritizing data security is imperative for insurers, particularly those that outsource documents.
Five security measures you should look for
It is no longer enough that a potential service provider can show written policies and procedures; there must also be evidence and technical solutions in place to support those policies. A robust and mature security program is the best way to head off data breaches and to minimize exposure once they occur. Here are the top five security measures you should look for when outsourcing the management of your company’s transactional documents, along with some guidance on how best to validate your provider’s security program.
1. The restriction and monitoring of access to secure areas and information systems
The third-party provider you use should provide evidence that they secure areas that house information systems with physical barriers, locked entrances and authorized access monitored through an alarm system, CCTV, and other measures. Monitoring system activity is equally important. Make sure your third-party provider has a system for aggregating and reviewing logs that includes a qualified, dedicated team to configure software to log activity, periodically validate those configurations and conduct regular log reviews. If the provider leases data center or IT assets from a “fourth-party” company, these controls should also be used by those providers.
2. The technical safeguards in place to protect information systems
Implementing technical safeguards and controls to prevent unauthorized access to company networks and electronic transactions is critical when evaluating a service provider, as well as verifying that they protect all servers with a well-rated hardware firewall and employ an intrusion detection system (IDS). A layered, well-documented network and computer security system should also include strong encryption of data in all phases of production. Remember, in data security, technical controls are always preferable to written policies.
3. A comprehensive contingency and incident response program
Even with the best precautions, emergencies and incidents are inevitable. All of your providers should have well-developed contingency and incident response plans to share with you that include a clearly identified chain of command, defined procedures for handling a variety of scenarios and a redundant IT infrastructure. The plans should be tested at least annually and team members should receive regular training on their assigned roles and responsibilities.
4. Regular risk assessments and up-to-date risk management plans
It is critical that service providers handling your policyholder communications have a solid plan in place to identify and respond to external and internal threats and vulnerabilities in their information systems and physical facilities. The plan should be updated no less than once a year, and more frequently if they’ve made significant changes to their technology or operations. The plan needs to assign probabilities and impacts of each risk, and include specific ways these risks are mitigated.
5. Biller authentication and non-repudiation of bills
While many of the measures I’ve discussed protect the back end of processing, it’s just as important to assure customers that their data is intact on the front end. Ask about additional enhancements like biller authentication and non-repudiation of bills. These measures make sure only authorized parties access consumer data and authenticate the validity of requests for payment.
Check for the proper certifications
Evaluating a third-party provider’s security program has many variables. While many data security and privacy laws establish requirements for safeguarding personal information, they give organizations a lot of latitude in how they implement those requirements. This means the quality of security programs can vary widely. Certification of a recognized security framework ensures that the organization complies with a standardized set of controls validated by an independent third party.
Some of the most rigorous and recognized frameworks and regulations include HITRUST CSF, NIST 800-53, IRS Pub 1075, ISO 27001, SSAE-18, PCI DSS (for payment processing), and Sarbanes Oxley.
- The HITRUST CSF is a certifiable framework for regulatory compliance and risk management. It Includes, harmonizes, and cross-references existing, globally recognized standards, regulations, and business requirements, including ISO, EU GDPR, NIST, and PCI.
- NIST 800-53 is the regulatory standard for security and privacy controls developed and maintained by the U.S. National Institute of Standards and Technology. It is intended to heighten the security of information systems used by the federal government, and applied to all systems that store, process or transmit federal information. The law requiring this certification is the Federal Information Security Management Act (FISMA).
- ISO 27001 is often referred to as the gold standard for security certifications and is internationally recognized, making it particularly useful for organizations that process Personally Identifiable Information (PII) outside the U.S. Developed by the International Organization for Standardization, ISO 27001 requires organizations to demonstrate they have implemented an information security management system in addition to several controls governing the security of IT systems and data.
- SSAE-18 was developed by the American Institute of Certified Public Accountants (AICPA) and requires organizations to comply with Trust Service Principles modeled on four broad areas: policies, communications, procedures and monitoring. Organizations demonstrate compliance through three Service Organization Control (SOC) reports: SOC 1, SOC 2 and SOC 3 (for ecommerce systems). Like ISO 27001, SSAE-18 has widespread recognition across multiple industries.
- PCI DSS is a globally instituted security standard for all merchants and service providers that accept credit card information. The latest PCI-DSS standard is version 3.2.1. You should ensure that payment-capable providers are assessed and compliant under the Level 1 merchant standard, which requires an on-site third-party assessor.
- Last but not least, Sarbanes Oxley addresses security requirements for all corporate accounting controls mandated by U.S. federal law.
With data breaches on the rise, insurers must take steps to validate not only their own security practices, but also those of any third-party providers to whom they outsource the processing policyholder communications and payments. Doing due diligence when outsourcing your transactional documents will give you—and your customers—the assurance that all steps have been taken to protect private information.
- Plug and Play Selects 25 Insurtech Startups for Winter Batches
- Digital Transformation – A Top Strategic Priority and New Reality
- Four Steps to Successful Migration of Insurance CCM Applications
- COVID-19 Accelerates Insurance Digitalization to Meet Customer Demand: World InsurTech Report 2020
- Electronic Chat with Greg Williams, Co-Founder, President & CEO, Acrisure
- Electronic Chat with Matt Perlman, Partner, IA Capital Group
- Insurer Digitalization: Are you a Competitor or a Laggard?
- Leaders are Leading and Creating the Future of Insurance Distribution
- 3 Things You Need to Know About No-Code
- Electronic Chat with Adam Kiefer, CEO, Talage
- Underwriting in 3D: Using Data to Adapt and Improve Life Insurance Sales
- Getting Past the "Gelato Syndrome"
- Insurers Know CX/UX is Important, but Don't Agree on Execution, Study Finds
- Electronic Chat with Steve Lekas, Branch Insurance
- How AI Can Attract Millennial Talent to the Insurance Industry
- Preventing Data Breaches
- A New Boom for Life Insurance: Shifting Away from the 250-Year-Old Policy Transaction
- Electronic Chat with Ty Harris, Founder and CEO, Openly
- A Digital Wildfire Creates a Burning Platform for Digital Insurance Business Transformation
- Digitalization, COVID-19 Spurring More IT Investment in Cybersecurity
- Electronic Chat with Michael DeGusta, CEO, ClarionDoor
- U.S. Consumers Significantly Underestimate Flood Risk, New Survey Finds
- The Future of Insurance: Opportunities in Ecosystems
- Electronic Chat with Todd Greenbaum, CEO, Input 1
- Majesco to be Acquired by Thoma Bravo
- The Evolving Role of Managing General Agencies
- Electronic Chat with Char Hu
- Electronic Chat with Allan L. Egbert, Jr.
- Electronic Chat with Christopher Tramontano and Zbigniew Gawienczuk
- Data Science is Gelato
- Insurance Innovation: Alive and Kicking
- Independent Agents Divided on Digital Experience, New Survey Finds
- Electronic Chat with Michael Jones
- Electronic Chat with Paul VanderMarck
- As Auto Insurance Premiums Shrink, Insurers Need Mobility Ecosystem, New Study Finds
- Property & Casualty Insurers Raise Digital Games as COVID-19 Elevates Customer Expectations, J.D. Power Finds
- Electronic Chat with Bobbie Shrivastav
- Meet the Board: Marissa Buckley
- Big Data and Insurtech: A Carrier Perspective
- Traditional Insurers Need Open Ecosystems, Partnerships to Remain Competitive, CapGemini Report Finds
- Electronic Chat with John C. Siegman
- 4 Ways AI is Empowering Insurers During COVID-19
- 6 Big Changes to Insurance from the COVID-19 Crisis
- Electronic Chat with Christopher Ewing
- Independent Agency Staff Morale High During COVID-19, New Survey Finds
- Electronic Chat with Brad Epker
- Tapping AI to Improve Policyholder Experience
- Electronic Chat with Manisha Bhargava
- ITA Pro Magazine, March/April 2020
- COVID-19 a Game Changer for Workers’ Comp
- Electronic Chat with Steve Comer
- COVID-19 Pandemic Forces Cancellation of ITA LIVE 2020
- Leveraging Digital Resources in the Time of COVID-19
- Electronic Chat with Robert Hartwig on COVID-19 and Insurance
- Celent Study: Most Small Businesses Still Unclear on Importance of Cyber Insurance
- The January/February 2020 ITA Pro is here!
- Deloitte: New C-Suite Roles Mean More Opportunities for Women
- Electronic Chat with Pankaj Parashar
- Electronic Chat with Tara Kelly
- Electronic Chat with Chuck Wilson
- ITA, InsNerds Collaborate to Enhance ITA LIVE 2020 Content and Coverage
- How SMBs Can Compete in Digital Ecosystems in the 2020s
- 4 Ways Insurance Can Prepare for New Data Privacy Laws
- Brewer Lane Ventures Launches and Hires Insurtech Vet Martha Notaras as Managing Partner
- 2020 GIA Cohort Launches on January 14
- The November/December 2019 ITA Pro is here!
- Electronic Chat with Joshua Snead
- Electronic Chat with Wendy Aarons-Corman
- Simplifying the Move to a Third-party Print Provider
- Take a Business-Driven Approach to Continuous Improvement for Core Systems and Processes
- Electronic Chat with Ron Glozman
- Guidewire’s Data Guru Mike Byam on How Insurers are Using Internal and Third-Party Data
- Electronic Chat with Russ Bostick
- Electronic Chat with Rock Schindler
- Electronic Chat with John Siegman
- Electronic Chat with Martin Burlingame
- Insurtech Landscape 2019: Top 5 Takeaways
- Grinnell Mutual Tackles Massive Transformation -- in Stride
- A Candid Conversation with Paul Mang
- SageSure Insurance Managers Improved Competitiveness by Consolidating Payments to a Single Digital Platform
- Digital Does Matter in Insurance-- And Insurers are Missing the Mark
- The 22nd-Century Insurer: Taking a Cloud-First IT Approach
- The September/October 2019 issue of ITA PRO magazine is now available in digital format here:
- ITA Pro Magazine May/June 2019
- Spotlight on the 2019 IASA Conference
- ValueMomentum Selects Erie as Site of Regional Development Center
- Capgemini and Majesco Become Alliance Partners
- Electronic Chat with Dr. Dan Shoham
- Electronic Chat with Todd Greenbaum
- Martha Notaras: The “Outsider” with an Amazing Inside View
- Electronic Chat with Larissa Tosch
- Martha Notaras Will Join ITA LIVE 2019 as a Keynote Speaker
- Five Things to Consider When Evaluating Your Cyber Risk
- ITA Pro Magazine, January/February 2019
- Synergy Between Insurers' IT and Analytics Teams Key to Operationalizing Insights, Says Novarica
- Major Ransomware Attack Could Hit U.S. with $89B In Economic Damages
- ITA Announces 1st of Three Keynote Speakers at ITA LIVE 2019
- Electronic Chat with Jeroen Morrenhof
- Legacy Systems Are Dead. Really? Don't Count On It.
- Now Accepting Nominations for the 2019 ITA Bridge Awards
- It's time to register for ITA LIVE!
- Registration is Now Open for ITA LIVE 2019!
- What to Expect from a Digital Experience Platform Implementation
- ITA Pro Magazine September Edition is Now Available
- It's National IT Professionals Day
- Save the Date for ITA-LIVE 2019
- OneShield Software and UrbanStat Work Together to Improve Real-Time Analytics and Risk Decision-Making
- ITA LIVE 2019 - SAVE THE DATE!
- Insurance Technology Association Announces New Editor-in-Chief
- August 2018 Edition ITA Pro Magazine is Now Available
- Enterprise Architecture in an Agile World
- Top 10 Tips for Securing Your Mobile Devices and Sensitive Client Data
- Industry Insight: 4 Global Insurance Trends in Digital, Data, Content Services and Security
- Diving Deeper into Prioritizing Your Strategic Digital investments
- Why Content Rules
- How Mass Personalization Will Open the Small Business Benefits Market
- At Year End 2017, Will Your Organization Be Protected from Cyber Risks?
- Do Insurance Bots Dream of Mitigating Risk?
- Conditioned to Respond
- Managing & Mobilizing Insurance Data in a Connected World
- Race to the Finish Line
- New Tools, New Opportunities in Claims
- ITA LIVE: Reaching Insurance Industry Crossroads
- Advice to Insurance IT Leaders: Keep Your Eye on the Ball
- New Date, Venue for ITA LIVE 2017
- Guidewire Makes Major Push to Small and Midtier Market by Acquiring ISCS
- Insurance Disruption is Happening Right Now
- Insurity Adds Strategic Investment Partner, General Atlantic
- Beyond Transformation: The Convergence of Finance, Risk, and Actuarial Functions
- The Rapid Evolution of Consumer Protection Regulation
- Talent Hunt: Finding, Attracting, Retaining Top People
- Insurers Flexing Their Distribution Models
- Technology Driving Disruption in Insurance
- Fear of ‘Next Bubble’ Challenges Life, Annuity Carriers
- Technology Allows Commercial Lines Insurers to Stand Out
- Single Sign-on Viewed as Biggest Tech Challenge for Agencies
- ISCS Observes 20th Anniversary; Scurto Predicts Major Changes Ahead
- Policyholders and Their First Impressions
- Progressive Making Progress on the UBI Front
- High and Dry: Insurers Search for Disaster Recovery Plans
- Insurers Sign The (Un)Dotted Line
- Reflections of a Retired Insurance CIO
- Mobile Device Management Just One Answer to BYOD Issue
- Lessons from GEICO and Progressive on Winning the Critical Buying Stage
- You Are a Target for a Cyber Attack
- Web-based Systems are the Next Evolution in Claims Technology
- Gaining a “Wow” Experience from Web Users
- Time to Shift from Business/IT Alignment to Business/IT Alliance
- Healthcare Insurers Changing to Consumer Model
- Organization is the Key for Selecting Software Vendors
- Analysts Expound on the Needs of the Mid-tier Insurance Market
- Finding the Cure for Obamacare’s Website
- New Software Solutions Benefit Insurers on the Inside and Outside
- Products, Market Impede Investment in Systems for Life Insurers
- Combatting Cyber Threats: Predict, Prevent, Persist
- The Future of Telematics Heads Beyond Insurance
- The Shame in Cyber Security Lapses
- Building Policy Administration Systems for the Future
- Insurers Look Into The Eyes of Their Policyholders
- It’s a New Dawn for the ITA
INSURANCE IT NEWS
- Prudential Names Susan Somersille Johnson CMO
- Clearlake Capital to Acquire Zywave from Aurora
- Pacific Specialty Selects One Inc for Premium and Claims Payments
- The Paladin Group Successfully Implements Veruna
- Hippo Selects One Inc for Digital Claims Payments
- MetLife Digital Accelerator Partners with 10 Startups to Develop Financial Wellness and Engagement Solutions for Customers and Families
- Hub International Partners With InsuraGuest, Inc. To Lower Insurance Premiums And Transfer Risks For Hotel Clients
- Zywave Expands Commercial Content Offering with Additional Third-Party Resources
The Email Chat is a regular feature of the ITA Pro magazine and website. We send a series of questions to an insurance IT leader in search of thought-provoking responses on important issues facing the insurance industry.
ITA LIVE 2020
ITA LIVE 2020 –SAVE THE DATE!
April 5th – 7th, 2020
The Diplomat Resort
Become a member today to receive updates – www.itapro.org/MR
BLOGS AND COLUMNS
Future market leadership will be defined by a new digital foundation and business model that embraces customer, technology and market boundary changes... READ MORE
Gautam Jit Kanwar
While most IT teams view migrations as a “necessary evil” required to modernize current technology, a solid migration plan will provide a better... READ MORE
You have surely heard it said that small businesses are the growth engine for America. Today, the phrase has a special ring to it for benefits... READ MORE
With stagnant growth and lingering low interest rates, the life insurance industry faces a challenging future... READ MORE
Finding insurance carriers willing to write commercial lines risks has always been a challenge for producers... READ MORE
As Guidewire Software prepares for the start of Connections, its 11th annual user conference that begins on Nov. 2, Brian Desmond, chief marketing... READ MORE