Insurance companies know how to protect their clients’ homes, cars, and businesses. But protecting those customers’ personal information is a bit harder to ensure.
While the insurance industry focuses on risk-based analyses for its underwriting programs, firms must also apply those same risk management processes to securing customer information.
What Are the Different Types of Risk?
It’s beneficial to categorize different risk kinds when considering them. This classification enables each risk category to be monitored by team members knowledgeable about specific subjects.
For instance, the Treadway Commission’s Committee of Sponsoring Organizations, a collaboration of industry groups that offers advice on risk management, has recommended that risk should be divided into the following four categories:
- Financial and reporting risk, e.g., market, tax, credit
- Compliance and governance risk, e.g., ethical, regulatory, international commerce, privacy
- Operational risks, e.g., information and technology security and privacy, supply chain, labor issues, natural disasters
- Strategic risks, e.g., changes in customer demand, new competitors
Categories of risks also aid in the fusion of data, as managers discuss, monitor, and modify their risk-response strategies. A structured brainstorming approach will ensure the list is comprehensive for each risk category. In addition, several tools are available to aid in visualizing and assessing possible risk events.
Examples include:
- Threat trees for cybersecurity risk, e.g., Carnegie Mellon’s OCTAVE Allegro approach
- Risk breakdown structures for project risks
- Delphi exercises for investment risk
Recording the results in a risk register is the last step in the risk identification stage. The risk register offers a way to track and communicate the various hazards throughout the risk management lifecycle.
Why Is the Risk Management Process Important?
The risk management process is essential because it equips a company with the tools it needs to identify and manage possible risks. When danger is recognized, an effective risk management process can minimize negative impacts. Additionally, risk management gives a corporation a foundation to improve decision-making.
Identifying and managing risks is imperative to prepare for events that impede progress and growth. A company’s chances of success increase when it assesses its strategy for dealing with possible challenges and then creates structures to meet them.
Progressive risk management also ensures that issues with a high priority are handled aggressively. Leadership is armed with the data they need for wise decision-making to maintain profitability and manage risk exposure.
What Kinds of Protected Data Do Insurance Professionals Collect?
The National Association of Insurance Commissioners (NAIC) established a model law governing cybersecurity risks in the insurance industry.
According to a recent study from the NAIC, the core risks facing an insurance company are “underwriting, credit, market, operational, liquidity risks, etc.” The study also lists the data types that must be protected via risk management and classifies such data as “nonpublic” information.
Types of Protected Data
- Social Security number
- Driver’s license number or non-driver ID number
- Account number, credit card, or debit card number
- Security code, access code, or password that enables a consumer to access an account at a financial institution
- Biometric records
- Information obtained from a healthcare provider regarding a customer’s or customer’s family members’ physical, mental, or behavioral health or condition
- Information obtained from a healthcare provider regarding care provided to the customer
- Information obtained from a healthcare provider about payment for the provided care
- Any business information that can materially affect a business adversely
In short, almost all the information that helps an insurance company determine the premium for a consumer’s insurance policy is nonpublic and should be protected.
NAIC Best Practices for Risk Assessment
A risk assessment assesses all the potential risks to your organization’s ability to do business. These include project management risks, operational risks, enterprise risks, inherent risks, and control risks.
For insurance companies, this should be nothing new; the goal of any insurance underwriter is to properly assess risk by applying actuarial science to assign a monetary value required to insure against that risk appropriately.
They must not, however, make the mistake of believing that risk management is only valid where their customers are concerned. Insurers must protect themselves as well.
Insurers collect various personal data that cybercriminals can leverage to commit fraud and other crimes. Thus, proper risk assessment and management are extremely important for this industry.
The NAIC has listed five steps to perform an adequate risk assessment.
Step 1: Designate a Risk Manager
The risk manager can be an employee, several employees, or a vendor responsible for the overarching information security program.
Step 2: Identify Reasonably Foreseeable Internal and External Threats
These threats arise from potential unauthorized access, transmission, disclosure, misuse, alteration, or destruction of protected information. Moreover, the hazards identified need to incorporate those from internal systems or third-party service providers.
Step 3: Assess the Likelihood and Estimate Damage
Considering the private nature of the information that insurance companies collect, they must assess the likelihood that cybercriminals will target the company’s databases and estimate the potential impact of the risks.
Step 4: Review Current Policies, Procedures, Systems, and Safeguards
Determine how well the current controls protect data; this provides insight into additional cybersecurity needs. Insurance companies must consider all aspects of their controls when reviewing information systems. They must first check and assess network and software designs to do this.
They also need to assess the risks posed by their current information classification, governance, processing, storage, transmission, and disposal procedures. Moreover, they need to understand how well their current detection, protection, and response processes secure the information from attacks, intrusions, and system failures.
Finally, they must ensure continuous, relevant training for employees and managers.
Step 5: Implement Procedures and Safeguards
Once you identify shortcomings in your cybersecurity controls, implement mitigation measures as necessary to reduce the risk to whatever tolerance has been defined by your board.
Beyond that, remember: the effectiveness of cybersecurity controls will change as insurance companies incorporate new technologies, and cybercriminals develop their threat methodologies. So insurance firms should re-perform their risk assessment annually to ensure continued effectiveness of risk controls.
How Does Risk Management Differ From Risk Assessment?
The risk assessment measures various risks and helps an insurance company define the most significant ones. Enterprise risk management (ERM) for insurance companies means monitoring and updating controls for mitigated or accepted risks, as well as making a decision to transfer risk via cyber insurance.
Risk Management Process Steps for Insurance Professionals
Insurance firms face cybersecurity regulations at the state and national level, plus extensive security expectations from the banks that work with insurance firms. Adding more complications, state-level security regulations may be mostly similar, but not identical, across all jurisdictions.
When insurance companies and claims adjusters properly manage risk, it gives them an advantage, not only by providing loss control against costly data breaches. It also protects insurance brokers from compliance violations and enhances their credibility with clients looking for insurance products that can protect the things most precious to them.
The NAIC sets out five steps to risk management for insurance companies.
Step 1: Design an Information Security Program
An information security program should be appropriate for the insurance professional’s size and complexity. As part of the enterprise risk management approach, a company may choose to mitigate or transfer the risks to a vendor. However, if the company outsources services, it must ensure that the outsourcing partner also protects sensitive information.
Step 2: Choose Appropriate Security Controls
Similar to other prescriptive standards, the NAIC offers a series of controls that can help guide actuaries. The 11 rules used by risk analysts are:
- Create authentication and access controls
- Identify critical data, personnel, devices, information technology (IT) systems, and facilities.
- Restrict physical access
- Incorporate at-rest and in-transit encryption
- Adopt secure software development practices
- Modify the information systems to maintain compliance with the security program
- Incorporate controls, such as multi-factor authentication, for access
- Test and monitor systems and procedures regularly.
- Create audit trails to detect and respond to cybersecurity events that enable the reconstruction of material financial transactions
- Implement measures to protect against destruction, loss, or damage from natural disasters, fire, water damage, or technological failures
- Create secure disposal and records retention procedures
Step 3: Cybersecurity in ERM
Although the NAIC appears to create an ERM-based approach to cybersecurity, the model law specifies that the enterprise risk management process should incorporate information security.
Step 4: Stay Informed
This risk management procedure focuses on sharing information about emerging threats and vulnerabilities. As part of continuous monitoring, insurance companies should be aware of new threat vectors. To inform internal and external stakeholders, they must establish clear communication procedures.
Step 5: Cybersecurity Training
The model law focuses on both initial training and continued, updated training to reflect new risks to the data ecosystem and environment. Repeating the “stay informed” procedure highlights the importance of employee cyber awareness.
Risk Assessment vs. Risk Analysis
Sorting through the various risk-related concepts, such as risk assessment and risk management, may get complicated. However, the most significant distinction is in the breadth of coverage. The risk management plan is the general framework, including both risk analysis and risk assessment.
Risk assessments are used to identify all possible risks, categorize them, and determine the appropriate risk treatment.
A risk analysis is part of the risk assessment process where you estimate the probability of and potential impact of each identified risk. This helps with risk categorization and prioritization.
Simplify the Risk Management Process with ZenGRC
With the amount of personal information collected by insurance companies, cybersecurity risk analysis should be a top priority to protect consumer data.
Traditional tools like shared calendars, spreadsheets, and emails to track tasks and discussions take time that could be better spent monitoring cybersecurity. Maintaining an effective information security program requires efficient workflows to coordinate communication and task management across internal stakeholders.
This is true for all insurance players: financial services, life insurance, health insurance, or property and casualty insurance services.
ZenGRC provides insurance compliance software with workflow tagging that allows you to prioritize tasks. As a result, everyone knows what to do and when to do it, so you aren’t manually chasing down answers.
It’s a turnkey solution with built-in content for multiple risk management frameworks, enabling you to start your first risk assessments in minutes. Automated audit trails document remediation activities to prove that you maintained data confidentiality, integrity, and availability as required by law.
Schedule a demo today for more information about how ZenGRC can streamline your risk management strategy.