(Image credit: Adobe Stock.)
Insurance companies are the target of 113 cyberattacks per year—and the types of cyber threats companies face are becoming more sophisticated, with intense focus on the potential for high returns. Given that insurance companies maintain access to two of the most sought-after data types—protected health information and payment information—securing data from unauthorized access is vitally important. One obvious place to step up security and compliance: electronic claims payment.
Consider that auto accidents typically result in payments to multiple parties. When insurance companies replace paper-based payment with digital payment solutions, they reduce the administrative costs related to claims processing. They also ensure payees are paid according to their preferences—from automated clearinghouse payments to virtual card payments.
But while electronic payment eliminates the risk of check fraud, payments and payment information are still vulnerable to attack. The cost of a cyberattack doesn’t just hit insurers’ pocketbooks: A KPMG survey found 33 percent of consumers would stop making purchases from a company for at least three months after an attack.
How can insurance companies better protect electronic payments and policyholder data from cyber theft—especially when using third-party service providers? There are some important steps to consider.
Hold third-party providers to the highest security standards. When you choose to work with a third-party vendor, you need to hold the vendor to the same high standards you’d expect from your own organization. After all, the vendors you contract with are an extension of your brand, and ultimately, you are responsible for ensuring the security of your data—wherever it is held. Look for a third-party claim payment processor that demonstrates its commitment to protecting sensitive information by maintaining the following credentials:
- Payment Card Industry (PCI) Security Standards certification, which supports protection for sensitive payment card information.
- Service Organization Control (SOC) 1 and 2 compliance, with SOC 1 focusing on financial audit controls and SOC 2 centering on operations and compliance controls.
- NACHA Certified, a voluntary accreditation program for third-party senders and those that send automated clearinghouse (ACH) payments.
Given that the Insurance Data Security Model Law puts responsibility on insurance companies to ensure their third-party service providers are compliant with information security standards, thoroughly assessing the security compliance of all third-party providers—especially those that have access to protected policyholder information—is critical.
Ensure that the company uses the most up-to-date encryption technology available. Sensitive information should be encrypted in transit (e.g., from network to network) and at rest (e.g., stored on a laptop or flash drive). Encrypting data at rest offers protection if a physical device that is used to access sensitive data—such as a laptop or mobile device—is stolen. To protect data at rest, third-party providers can encrypt sensitive files before storing them or encrypt files at the database level.
Ask the payment provider for copies of its most recent security assessments. Sixty percent of companies don’t verify third-party vendors’ ability to protect the security of their data, even when sensitive data is shared, a 2016 Ponemon Institute survey showed. With so much at risk, insurance companies not only should review the third-party vendor’s written IT security policies and procedures, but also should request assessments of the vendor’s:
- Physical security controls
- Perimeter security
- Wireless networks
At a minimum, such assessments should evaluate the likelihood of a consumer data breach and identify the action steps needed to bolster security, if applicable.
Additionally, insurance companies should request security assessments for each subcontractor of its chosen vendor that touches their data..
Evaluate the vendor’s business continuity and disaster recovery strategy. Talk with claim payment processing vendors about the investments they have made around disaster prevention and recovery. Ask how often data is backed up; where backup servers exist; and whether the claims payment processor has invested in a cloud-based solution for data backup. If a cloud-based solution is used, check to see whether a service disruption test has been performed to gauge the effectiveness of the solution’s response.
Continue to monitor third-party payment vendors yearly. Require vendors to complete IT security questionnaires each year, and request evidence of yearly security assessments. Doing so helps to ensure protection against the latest cybersecurity threats.
Due Diligence for a New Era
At a time of increasing cybersecurity risk, it has never been more important to verify your policyholders’ most sensitive data is protected at all times. Taking the time to vet third-party payment providers based on their ability to prevent data theft is critical to protecting the value of your investment and your relationship with your customers.