While homes, vehicles, and other personal assets can be insured, the sensitive data collected by insurance companies cannot. Indeed, insurers collect many different types of personal data when determining how much a customer should pay in premiums. From social security numbers to private addresses-and-credit card information, insurance companies use data from many different sources when assessing the level of risk that each customer presents.
Once unauthorized sources access the personal data of your customers, the consequences can be devastating. Insurance companies need to implement a management process that minimizes the likelihood of sensitive data cybersecurity breach.
Insurance data that is at risk of cybersecurity threats
A lot goes into determining how much risk each policyholder presents to an insurance company. Through the use of advanced algorithms, insurers often request sensitive information from their customers to identify a suitable monthly premium rate. Such data includes social security numbers, driver’s license numbers, biometric data, healthcare information, and financial records.
The need for keeping such data secure is vital for all insurance companies. To effectively manage this risk, the National Association of Insurance Commissioners (NAIC) put forward a proposed law that outlines best practices for risk assessment and management. This law, introduced in 2017, describes a 5-step process for risk assessment, and another 5-step process for management.
At the center of this law is an emphasis on protecting all nonpublic information that policyholders may provide to their insurance company. Nonpublic information is all the data that is used by insurers when calculating premiums.
The five steps involved during a risk assessment
This risk assessment process includes the following:
- Making risk assessment an internal process
The first proposed step by NAIC is making risk assessment internal to each company. With a personal sense of responsibility to protect customer data, insurance companies will remain on their toes as far as data security is concerned; thus, reducing the likelihood of data breaches. This process begins with designating a risk manager who will be responsible for overseeing the company’s security program.
- Establishing a framework for identifying internal and external threats
The threats that face insurance data are widespread. Because they can arise from both internal-and-external sources, the NAIC-proposed law outlines that insurers should dedicate a process towards identifying all potential risks to safeguard against them.
- How likely is a threat to happen and what would be the consequences?
Similar to how an insurance company assesses the likelihood that a policyholder may get into an accident, insurers should determine the likelihood of customer data being breached at any given time. The assessment should also include all financial, legal-an- intangible consequences your company might face.
- A review of current systems and their susceptibility to risk
The next step is to review current cybersecurity systems and to determine how well they stack up against standardized guidelines. This review should involve all networks and software being used, data storage practices, classification, and transmission procedures. Any shortfalls that are identified should be noted down to determine a plan for improvement.
- Putting in place a risk mitigation plan
Insurers need to remain on top of any new risks that may occur due to new technologies or the sophistication of cyber-attacks. This can only be achieved via regular risk assessments that are conducted on an annual basis.
Understanding the risk management process for insurers
While risk assessment refers to the identification of potential weak spots to data security, risk management refers to the active monitoring-and-mitigation of potential risks that your company might face. A risk management plan, according to NAIC, will involve the following steps.
- Establishing an information security program
Risk management starts with an effective information security program. Such a program should be relevant to the operations of your business, and it should have enough resources to help identify and mitigate any current risks that your company may face.
- Implementing security controls
Security controls to limit who has access to sensitive customer data while providing an extra layer of protection against internal threats. Your security control protocol should involve an authentication process for data access, restricted physical access to various parts of the business, regular testing and monitoring of company systems, and secure software development.
- An Enterprise risk management plan that incorporates cybersecurity
Your ERM plan should also involve cybersecurity threats as part of the potential elements to be accounted for.
- Putting in place an information sharing plan
Information sharing allows all departments and industry players to learn about new risks in a timely fashion, to design an appropriate response.
- Regular training to keep personnel on top of emergent risks
Finally, your risk management plan should involve training of appropriate staff so they can remain on top of the rapidly evolving strategies that cyber attackers use.
You may also like: What is Enterprise Risk Management (ERM)?
About the Author
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.