Clear LYNC TL
Follow Us
ITA MEMBERSHIP

RISK / SECURITY

RISK / SECURITY

Tech, Processes, and a Plan

Over the past two decades, technology used to create and distribute insurance documents has continued to expand with new features and capabilities. While security has always been a priority, it typically was implemented with  a “fortress mentality,” which meant we hardened the network perimeter and counted on the systems that were being implemented to also provide the protection our business documents required. We believed that our customers’ information was safe inside the firewall.

After reading story after story of large companies having data breaches, it is now apparent that current practices are ineffective in preventing them. Target had as many as 70 million credit card and debit card accounts stolen. Equifax was in the news due to a data breach that impacted the personal information of approximately 147 million users. Then, in one of the biggest data breaches ever, a hacker broke into a Capital One server and gained access to more than 100 million customer accounts and credit card applications. Suddenly, the architecture that we counted on for protecting our data proved to be insufficient and data security—the processes and technologies used to safeguard data—has risen to the top of every company’s concerns.

In every insurance organization, there is plethora of customer data that can fall into the hands of cyber-thieves, making securing data is an ongoing challenge. Because hackers have become more sophisticated, it is even more important to continually ensure security policies are up-to-date and effective. Nothing is more important than protecting the security of your customers’ sensitive data.

With new compliance laws continuing to appear, and the penalties for not following them increasingly more expensive, every organization is looking for ways to decrease the risk associated with the safeguarding of confidential data. However, all the planning in the world won’t prevent a data breach if your information systems are unprotected. As a result, there is a critical need to invest in the right technology and processes to address security concerns and close any security gaps.

What to look for in technology

While many technologies only protect static data, assessing what to look for in a security platform starts with confirming the platform you choose offers the type of protection technology that travels with the file, keeping data encrypted at all times. This can ensure true closed-loop protection from file receipt to output. The protected data should be able to be accessed by your critical business applications in real-time with minimal performance degradation, allowing you to keep sensitive data protected at all times.

The audit and reporting capabilities of the security technology you select are critical and will be reviewed by outside auditors when you go through compliance certification. Often your customers will require you to provide reporting proving you can control and log all access to their data.  You will want to be sure your chosen technology provides this information. If the technology allows you to embed policy in the data, this will add even more protection as the data in essence becomes a partner in its protection and  can enforce rules like expiration date, location for opening requirements.

With today’s mobile technology, policyholders expect quick access to their documents with one click. On the flip side, insurers must meet stringent security and compliance restrictions that have held them back from being able to send secure customer communications electronically. In many industries like insurance, financial services or healthcare, data-sensitive customer communications are difficult to send electronically via an attachment due to stringent compliance regulations. However, having the ability to seamlessly deliver these types of communications via multiple delivery channels is no longer a “nice to have”; it has become an expectation from your customers.

New on the market are security solutions for insurers who grapple with how to electronically distribute these sensitive documents that have regulatory requirements with the convenience policyholders are demanding. These platforms take traditional security measures a step further by offering not only protection that travels with the data at all times, but also the ability to makes secure email  or SMS delivery capabilities possible by adhering to the stringent requirements of specific regulations for document security.  Meeting the convenience of opening an actual attachment securely, makes it possible to send documents, such as insurance cancellations or FNOL, without links, then track every access point and attempted access.

Any security-based software you are evaluating should also offer both proof of delivery to the intended recipient and a built-in comprehensive audit trail that includes immediate shredding on unauthorized attempts.

After technology, what’s next?

After evaluating what is the right security software for your needs, another important step is to assess where your gaps are and what you need to do about them. Once you diagnose the potential vulnerabilities in your processes, you can then develop a formal risk mitigation plan to address identified areas for improvement. Here are three to consider:

  • Disaster recovery and emergency preparedness

We know that ransomware is here to stay, and it is a growing threat. According to BlackFog, a global cybersecurity company, damages from cybercrime are expected to hit $6 trillion this year (up from $3 trillion in 2015) and the number of ransomware attacks is expected to increase and newer forms to become more sophisticated and disruptive. We only have to think of the most recent attack was on the world’s largest meat processing company forced to shut down production at several global sites to know that every business needs a risk mitigation plan that includes recovery options for when (not if) this happens. An incident response plan should identify the chain of command and contact information for team members, as well as procedures for responding to different levels of data breaches and to whom they should be communicated. Most importantly, it is your online system that will most likely be affected by ransomware; it is critical to have an offline backup of information that is not accessible via a network, thus allowing you to restore normal business operations when a ransomware attack happens.

  • The compliance regulations important to customers

Regulations such as HIPAA, PCI, FISMA and SSA16 address an industry’s unique privacy requirements for the type of data they maintain. It is important that your risk mitigation plan includes specifics for handling these regulations. Enterprises and third-party service providers can pursue certifications that ensure a security program functions at an optimal level; most security certifications require that companies implement risk management and other security controls as part of the assessment process. Companies that store credit card information on their processing systems, for example, should maintain PCI certification overseen by the Payment Card Industry Security Standards Council (PCI SSC) as it requires businesses to maintain seven critical security controls. HITRUST certification is another option for businesses that handle protected health information, giving customers the added assurance that your business is able to address rigorous HIPAA standards.

While you can’t monitor every touchpoint, it is important to put safeguards in place that reduce workflow steps in order to limit interaction with the data. The features of the technologywritten about earlier makes it possible for data to be embedded into the file and remain encrypted while being processed throughout the entire workflow. Again, your system should integrate closed-loop protection with multi-factor authentication controls from file receipt to output management that will protect the data at the production level and reduce the opportunity for human error. Proper malware detection and protection software, as well as 24/7 network monitoring, will also help ensure data is protected at all times.

As data needs continue to grow, the demand for high-quality data protection from your software to your processes expands. Meeting today’s critical need for data protection requires having the right solutions, processes and plans in place for safely communicating with policyholders in a business environment where cybersecurity incidents and data breaches are on the rise. Hence, it is important to source and implement the most up-to-date data security solutions to mitigate the risk of these frightening cyber breaches and to continually monitor and improve your systems and security processes, identifying and closing any gaps. Another benefit of having strong these security initiatives in place is that it demonstrates to your customers that protecting their data is a top priority, which can be a deciding factor for them when doing business with your company.

 


Featured articles

MT MR

MT RHS

ELECTRONIC CHAT

The Email Chat is a regular feature of the ITA Pro magazine and website. We send a series of questions to an insurance IT leader in search of thought-provoking responses on important issues facing the insurance industry.

ITA LIVE 2020

ITA LIVE 2020 –SAVE THE DATE!
April 5th – 7th, 2020
The Diplomat Resort
Hollywood, FL
Become a member today to receive updates – www.itapro.org/MR

BLOGS AND COLUMNS

only online

Only Online Archive

ITA Pro Buyers' Guide

Vendor Views

Partner News