Insurers Weigh in on Vendor Security Assessments

Every insurer today is conscious of potential security exposures. Third parties are a significant source of exposure as infamously demonstrated by Target’s 2013 data breach, which cost the retailer $292M in cumulative expenses. Corporate governance and regulators demand that this issue be a priority that is taken seriously.  

This is manifest in the ever-increasing amounts insurer IT organizations are spending in this area. For example, in our most recent annual IT Budgets and Projects Research Council Study, insurers were allocating 11% of their budgets to security.   

In an effort to better understand how insurers are managing the security exposure vendors might introduce, Aite-Novarica Group recently polled a sampling of midsize property/casualty insurers regarding their vendor security assessment practices.  

Responsible Parties 

All of the insurers polled employ a cross-functional team and/or approach. In addition to IT/IT Security, other groups may include Legal, Risk Management, Internal Audit, Procurement, Finance, Marketing, and Compliance. These functions may be organized into a committee set up specifically to review vendors or manage risks. Some organizations combine the security assessment with a broader risk review that addresses finance, OFAC, privacy, legal, and reputation.  

Risk-Based Approach 

One size does not fit all. Each insurer takes a risk-based approach, increasing the level of scrutiny based on the potential exposure. The type and volume of carrier data shared with the vendor, as well as carrier system access, drive the risk analysis. Riskier vendors may be required or asked to provide additional information. A minority of insurers mentioned that they re-assessed riskier vendors regularly and had a streamlined assessment for low-risk vendors.  

Documentation 

All the insurers require evidence of risk mitigation. They all require SOC II reports. Other documents reviewed, depending on the insurer, are third-party assessments and certifications (ISO270001, PCI, HiTrust, etc.), IT security questionnaires, vendor policies and procedures, penetration testing results, network diagrams, MSA, NDA, NYDFS questionnaires, HIPPA questionnaires, and SLAs. A minority of insurers request business continuity and hiring and training practices documentation. 

Consulting and Staff Augmentation Vendors 

Consulting and staff augmentation vendors are scrutinized in the same manner as other vendors. In addition to the previous practices, most insurers cite strong contracting language as key. In addition to the master services agreement, critical components of the contract(s) include non-disclosure agreements, confidentiality clauses, personnel screening requirements, data security agreements, and commitment to periodic security training. Evidence of actual background checks and training may be requested depending on the potential exposures.  

Contracting 

Most insurers mandate specific language be incorporated into the vendor contract as part of the vendor approval process. Where specific language is not demanded, the insurer requires evidence of best practice to be submitted for memorialization in subsequent vendor contracts.  

Concluding Thoughts 

As Target and other corporations have learned the hard way, data breaches and security lapses are costly. Assessing vendors for security exposures is a case of “an ounce of prevention is worth a pound of cure.” To learn more about data security and third-party service providers, read Aite-Novarica Group’s report Insurance Technology Strategy and Regulatory Compliance, Vol. 6.  

Add new comment

CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
1 + 15 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.

How can we help?

If you have a question specific to your industry, speak with an expert.  Call us today to learn about the benefits of becoming a client.

Talk to an Expert

Receive email updates relevant to you.  Subscribe to entire practices or to selected topics within
practices.

Get Email Updates