Connect with us

Business

The roles and responsibilities of an insurance compliance officer

insurance compliance officer
Image: Reciprocity Labs

The insurance industry obtains client’s data which need protection to prevent instances of leakage and cyber-attacks. The compliance officers in the industry oversee the implementation of the security insurance measures to guarantee the data safety.

The compliance has become highly vital with the digitalization of insurance activities including collection of premiums and payment of claims.

What Information is collected by the Insurers?

Insurance covers various sectors including home, life, healthcare, auto, general liability insurance services among many others. All these services require that you apply through the insurance company. During the application process, the company collects personal data that may be sensitive and that which requires protection. As such, the insurance companies must undergo security compliance processes to show their readiness to handle the private data appropriately.

Such compliance requirements include the Health Insurance Portability and Accessibility Act (HIPAA) and Payment Card Industry Data Security Standard (PCI DSS). While the HIPAA will ensure the protection of private data from clients, the PCI DSS is crucial in ensuring that the company’s payroll department pay employees and claims in a way that will not breach the privacy rights. This is especially critical if the company is paying the claims using a payment vendor.

What Threats Affect the Insurance Industry?

Statistics on the threats that affect the insurance industry were outlined by Accenture in a document released in November 2017. The statistics are as below:

  • Any insurance company will receive an average of 113 targeted breach attempts annually
  • A worrying number of cybersecurity executives from large companies showed a lack of confidence in their strategies with only 79% of them showing confidence
  • Approximately 61% of insurers took a relatively long time (months) before detecting successful breaches
  • Only 34% of the insurers had functional cyber incident response protocols
  • Only 66% of breaches are discovered by the internal security mechanisms.

These numbers show a disconnect between the insurers and cyber insurance insurers. Most insurance companies fail to ensure their entities against the unforeseen occurrences especially where the premium may be significantly high.

What Threats Affect the Mid-Sized Insurance Companies?

The mid-sized companies experience more threats than their large counterparts. The small companies do not have sufficient resources and thus their budget on security is significantly lower compared to the large insurance firms.

Data from the Arctic Wolf Report shows that approximately 72% of mid-market IT gurus felt that they were tasked with so many roles that they lacked a clear focus on the security matter. Also, 50% of the participants opined that the security issue was highly complex and 51% of them felt the need to have more resources allocated for security. The large firms have IT and compliance departments which makes their security compliance relatively simple.

Types of Risk Management Options that Enable Insurance Companies

The management of information security risk entails the identification, assessment, and mitigation of the risks. Companies will follow the following steps to manage risk:

Catalog data assets

You will need to identify all the information that you collect to help you institute structures and systems to protect it. The information that you may collect includes the IP address, date of birth, physical address, social security number, and account information.

Identification of data storage and transmission systems, applications, and networks

After your company collects information, it is likely that it shares it in various ways. You may use a cloud storage service to help in backing up the information for easier recovery. Ensure that you institute security measures such as encryption and password system to ensure that only the internal stakeholders access the data.  You can also choose to run a web-based platform that will allow the clients to review their current account information.

Threat Identification

You need to identify any threat to your networks, applications, and systems which can either be internal (a malicious employee) or external. If applying web-based systems, you need to ensure that you institute encryption to mitigate attacks such as SQL injections and cross-site scripting. Also, prevent the data from malware which can hold the information hostage!

Develop controls to Enhance Accessibility, Integrity, and Confidentiality of Information

You should put in place features that will protect information both in the present and in the future. Once you’ve identified the ways through which your data can be compromised, you need to put barriers to protect your data. You may decide to use role-based authentication for internal threats and firewalls, encryption methods, and endpoint security for external threats.

Monitor the Effectiveness of Your Controls

Threats evolve with time making it necessary to regularly check the effectiveness of your current measures. If the threat is still there, then you need to improve your protection measures.


Ken Lynch is an enterprise software startup veteran, who has always been fascinated by what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that.

Have any thoughts on this? Let us know down below in the comments. 

Editors’ Recommendations:

Comments
Advertisement

More in Business