One out of four Americans believe they’ve been the victim of cybertheft, a recent study shows—and they fear exposure to cybertheft, identity theft and personal privacy even more than threats to their personal safety.
The news serves as strong caution to insurance industry leaders, given that insurance companies share access to two of consumers’ most valuable assets: protected health information and financial data.
Today, there is a maze of federal and state information security laws that apply to insurers, ranging from the Federal Gramm-Leach-Bliley Act and the HIPAA Security Rule to state information security laws of general application. In 2017, the National Association of Insurance Commissioners (NAIC) proposed the Insurance Data Security Model Law, as a basis for uniformity across jurisdictions as states look to update insurance regulatory requirements relating to information security, the investigation of a cyber event, and the notification of cybersecurity events to state insurance commissioners. The model law establishes rules for insurers, agents and other licensed entities to protect consumers from cyber threats. These rules include conducting ongoing risk assessments and exercising thorough oversight of third-party service providers’ efforts to maintain information security.
As insurers look to insurtech and fintech partners to modernize and streamline business processes, they must understand that they are ultimately responsible if a third-party service provider does not have adequate data security measures in place to protect sensitive policyholder data.
Protecting Consumers from Payment Data Theft
Many insurers are now turning to outside service providers to manage administrative functions such as claim payment processing. This move makes sense given the potential for increased efficiency, reduced cost and enhanced customer service associated with some outsourced administrative solutions. But when reviewing a claim payment processor’s credentials, it’s important to pay close attention to the company’s data security practices, as well as the security certifications it maintains.
There are three strategies to consider.
Be diligent about checking third-party providers’ security credentials.
When your company’s reputation is on the line, you need a claim payment processor that not only understands the importance of high-level security precautions for claims data, but also demonstrates its commitment through diligent credentialing, comprehensive audits performed by reputable organizations, and routine information security training of its personnel.
One insurance company paid a $5 million settlement for exposing 1 million consumers to theft of their Social Security numbers, driver’s license data, credit scoring information and other personal data in 2012. The culprit: failure to apply a security patch that would have prevented hackers from accessing the data.
That’s one reason why it’s so important to be vigilant in holding third-party service providers to the highest cybersecurity standards. In addition to checking for HIPAA compliance, insurance companies should select only those third-party service providers that maintain these credentials:
- Payment Card Industry (PCI) Security Standards certification, which supports protection for sensitive payment card information—critical in an era of digital transactions as well as in-office payment
- Service Organization Control (SOC) 1 and 2 compliance, with SOC 1 focusing on financial audit controls and SOC 2 centering on operations and compliance controls
- NACHA Certified, a voluntary accreditation program for third-party senders and those that send automated clearinghouse (ACH) payments; NACHA’s standards include a solid risk and compliance program, stability, sound governance and strong core ACH practices.
Assess the third-party providers’ cybersecurity risk
With demand for e-payments by insurers continuing to swell, verifying that a third-party claim payment processor has invested in a front-line security response for e-pay transactions is critical. Three approaches to consider include the following:
- Ask for proof that penetration tests and vulnerability scans have been performed—and request a copy of the results.
- Provide the third-party vendor with a security questionnaire to complete yearly. Ask an outside company to evaluate the responses.
- Require the third-party provider to hire an outside specialist to perform an onsite security assessment. The results of this assessment should be made available for your review as a condition of doing business with the company.
Evaluate the vendor’s business continuity and disaster recovery strategy
Ask the vendor to share the investments it has made to ensure data will be protected and available to your company at all times in the event of a disaster of any type. Important considerations: whether the claim payment processor has invested in a reliable solution for data backup; whether it keeps all sensitive information onshore, and whether sensitive information is encrypted while at rest.
Making the Right Investment
In an era of increased cybersecurity risk, insurance companies must take risk assessments of their outside vendors as seriously as they take their own—especially when vendors have access to sensitive consumer information. Don’t rely on a contractual requirement that the third party maintain compliance. Trust but verify, as the saying goes. Taking the time to assess third-party providers according to the standards discussed above helps establish partnerships that increase efficiency, limit risk, and protect policyholder relationships.
Jeffery W. Brown is president of VPay®, a leading turnkey claim payments platform focused on the property and casualty, workers’ compensation, healthcare and warranty industries.