Insurance Companies’ Risk Management Process

Insurance companies know how to protect their clients’ homes, cars, and businesses— but protecting the personal information of those customers is a bit harder to assure. 

While the insurance industry focuses on risk-based analyses for its own underwriting programs, firms also need to apply those same risk management processes to securing customer information.

What Kinds of Protected Data Do Insurance Professionals Collect?

The National Association of Insurance Commissioners (NAIC) established a model law for governing cybersecurity risks in the insurance industry. 

According to a recent study from the NAIC, the core risks facing an insurance company are “underwriting, credit, market, operational, liquidity risks, etc.” The study also lists the types of data that must be protected via risk management and classifies such data as “nonpublic” information. 

Types of Protected Data

  • Number assigned by the Social Security Administration
  • Number on a driver’s licence or a non-driver ID card
  • Number of your account, credit card, or debit card
  • A security code, access code, or password that allows a customer to access a financial institution’s account.
  • Biometric information
  • Information about a customer’s past, present, or future physical, mental, or behavioural health or condition obtained from a healthcare provider; or any such information about a customer’s family members obtained from a healthcare provider
  • Information obtained from a healthcare provider regarding care provided to the customer Information obtained from a healthcare provider about payment for the provided care
  • Any business information that can materially affect a business in an adverse manner

In short, almost all the information that helps an insurance company determine the premium for a consumer’s insurance policy is nonpublic and should be protected.

NAIC Best Practices for Risk Assessment

A risk assessment is an assessment of all the potential risks to your organization’s ability to do business. These include project risks, function risks, enterprise risks, inherent risks, and control risks. 

For insurance companies this should be nothing new; the goal of any insurance underwriter is to properly assess risk by applying actuarial science to assign a monetary value required to properly insure against that risk. 

They must not, however, make the mistake of believing that risk management is only valid where their customers are concerned. Insurers must protect themselves as well. 

Insurers collect a variety of personal data that cybercriminals can leverage to commit fraud and various other crimes. Thus, proper risk assessment and management are extremely important for this industry.

The NAIC has listed five steps to perform an effective risk assessment.

Step 1: Designate a Risk Manager

The risk manager can be an employee, several employees, or a vendor responsible for the overarching information security program.

Step 2: Identify Reasonably Foreseeable Internal and External Threats

These threats arise from potential unauthorized access, transmission, disclosure, misuse, alteration, or destruction of the protected information. Moreover, the threats identified need to incorporate those from internal systems or third-party service providers.

Step 3: Assess the Likelihood and Estimate Damage

Considering the private nature of the information that insurance companies collect, they must assess the likelihood that cybercriminals will target the company’s databases and estimate potential financial, reputational, and legal risks.

Step 4: Review Current Policies, Procedures, Systems, and Safeguards

Determine how successfully the current controls safeguard data; this will give you a better idea of what further you might need in terms of cybersecurity.

Insurance businesses must examine all parts of their controls while examining their information systems. To accomplish so, they must first examine and evaluate network and software designs.

They must also evaluate the dangers that their present information classification, governance, processing, storage, transmission, and disposal practices entail.

They also need to know how safe their present detection, protection, and response mechanisms are against attacks, intrusions, and system failures.

Finally, they need to assure continuous, relevant training for employees and managers.

Step 5: Implement Procedures and Safeguards

Once you identify shortcomings in your cybersecurity controls, implement mitigation measures as necessary to reduce the risk to whatever tolerance has been defined by your board.

Beyond that, remember that the effectiveness of cybersecurity controls will change as insurance companies incorporate new technologies and as cybercriminals evolve their threat methodologies.

So insurance firms should re-perform their risk assessment at least once a year to assure continued control effectiveness.

How Does Risk Management Differ From Risk Assessment?

The risk assessment measures various risks and helps an insurance company define the ones that are most significant.

Enterprise risk management (ERM) for insurance companies means monitoring and updating controls for mitigated or accepted risks unless the company decides to engage in a risk transfer. 

Steps to Risk Management for Insurance Professionals

Insurance firms face cybersecurity regulation at the state and national level, plus extensive security expectations from the banks that work with insurance firms. Adding more complications, state-level security regulation will be mostly similar, but not identical, across all jurisdictions.

When insurance companies and claims adjusters properly manage risk, it gives them an advantage — not only by providing loss control against costly data breaches, but also by protecting insurance brokers from compliance violations and enhancing their credibility with clients looking for insurance products that can protect the things most precious to them.

NAIC sets out five steps to risk management for insurance companies.

Step 1: Design an Information Security Program

An information security program should be appropriate for the insurance professional’s size and complexity. As part of the ERM approach, a company may choose to mitigate the risks itself or transfer the risks to a vendor.

If the company outsources services, however, it needs to assure that the outsourcing partner also protects sensitive information.

Step 2: Choose Appropriate Security Controls

Similar to other prescriptive standards, the NAIC offers a series of controls that can help guide actuaries. The 11 controls used by risk analysts are:

  • Create access and authentication controls.
  • Determine the importance of important data, employees, devices, IT systems, and facilities.
  • Physical access should be limited.
  • Encryption should be used both at rest and in transport.
  • Use secure software development techniques.
  • Modify the information systems to ensure that the security programme is followed.
  • Access controls, such as multi-factor authentication, should be implemented.
  • System and procedure testing and monitoring should be done on a regular basis.
  • Create audit trails to detect and respond to cybersecurity events so that material financial transactions may be reconstructed.
  • Implement procedures to defend against natural disasters, fire, and water damage, as well as technical failures from causing destruction, loss, or damage.
  • Create procedures for secure disposal and record retention.

Step 3: Cybersecurity in ERM

Although the NAIC appears to create an ERM-based approach to cybersecurity, the model law specifies that the enterprise risk management process should incorporate information security.

Step 4: Stay Informed

This risk management procedure focuses on sharing information about emerging threats and vulnerabilities. As part of continuous monitoring, insurance companies should be aware of new threat vectors.

As part of informing internal and external stakeholders, they need to establish clear communication procedures.

Step 5: Cybersecurity Training

The model law focuses on both initial training and continued, updated training to reflect new risks to the data ecosystem and environment. Repeating the “stay informed” procedure highlights the importance of employee cyber awareness.

How ZenGRC Connects Risk Management & Insurance

With the amount of personal information collected by insurance agents, cybersecurity risk management should be as high of a priority as everyday business administration. 

That said, traditional tools like shared calendars for task assignments and emails for discussions take time that could be better spent monitoring cybersecurity.

Maintaining an effective information security program requires an efficient workflow tool to coordinate communication and task management across internal stakeholders.

This is true for all types of insurance players: financial services, life insurance, health insurance, or property and casualty insurance services.

ZenGRC provides insurance compliance software that allows you to prioritize tasks. So everyone knows what to do and when to do it so that you can maintain records until the time you need to dispose of them.

With our workflow tagging, you can assign tasks to the individuals in your organization responsible for the activities involved in cyber risk management.

Finally, with our audit trail capabilities, you can document remediation activities to prove that you maintained data confidentiality, integrity, and availability as required by law.

Also Read:

Leave a Reply

Your email address will not be published. Required fields are marked *