No organization is immune from a cyber attack or data breach—making cyber security a top concern for organizations, including commercial insurers that could be on the hook for costs associated with multiple breaches if multiple clients are exposed.
That’s why, during the third quarter of 2017, the National Association of Insurance Commissioners adopted the Insurance Data Security Model Law. The model law, which is not legally binding like an enacted law, serves as a “framework from which insurance regulators in each state can create their own cyber security rules,” according to the Property and Casualty 360 article, “5 things you should know about the NAIC’s new data security model law.”
Property Casualty 360 says the five things everyone should know about the model law are:
- The cyber risk landscape is evolving.
- New York State’s cyber security requirements for financial companies influenced NAIC’s model law.
- NAIC’s model law is different from an enacted law.
- Insurance businesses should prescribe to specific cyber security practices.
- Company boards are expected to take the lead when it comes to cyber security efforts.
Ultimately, the NAIC framework for maintaining a solid information security program focuses on ongoing risk assessment, overseeing third-party service providers, investigating data breaches and notifying regulators of a cyber security event—all areas where risk management technology can help, whether you’re the insurer or the insured.
While risk management technology is not security software, per se, it certainly can help with an organization’s cyber security efforts—institutionalizing the cyber security framework and automating all related tasks to ensure it’s a true line of defense.
Risk management technology assists with ongoing risk assessment
Ongoing risk assessment actually requires its own framework for continually assessing risks; identifying risk owners; and easily configuring and sharing data. It also requires being able to evaluate real-time data, instead of rear-view data.
The right risk management technology can automate all workflows associated with assessing risk on an ongoing basis, including alerting stakeholders of tasks they need to complete in the interest of data security.
In fact, the configuration, workflow and collaboration capabilities can be so simple within risk management technology that streamlining daily tasks and repeating processes becomes as easy as a few clicks.
If it’s cloud based, such technology can further enable ongoing risk assessment by automatically collecting, updating, formatting and disseminating data in real-time. This results in spending less time manually consolidating data across the enterprise. Even more, data will be dynamic—updated and visualized in real time—so you spend more time acting and less time reacting.
Risk management technology assists with managing third-party service providers
If another cloud-based technology vendor sounds like one more opportunity for cyber attacks, you’re right: Fewer technology vendors can actually mean improved data security.
With fewer applications or systems to manage, and less burden on your internal server, your IT department might have more time to focus on broader cyber security efforts that will make more of an impact. Plus, fewer applications likely means less risk of one or a multitude of those applications causing a breach or falling out of compliance.
However, instead of viewing risk management technology as another third party tech vendor on the list, you should view it as one of the few broad solutions out there with so much power that it can actually consolidate a whole host of other vendors.
Risk management technology by its very nature is built to span across a variety of departments and business challenges. Just as organizational risk is broad, so are the solutions housed within a risk management information system.
In fact, risk management technology can oftentimes replace the following solutions (and more) that are singular offerings from some vendors:
- Business Intelligence Analytics
- Enterprise Risk Management Systems
- Internal and Operational Audit Systems
- Health and Safety Management Systems
- Compliance and Regulatory Management Systems
- Vendor Risk Management Systems
- Business Continuity Systems
Risk management technology can assist with reporting cyber security events
Preventing cyber events is obviously important, but meeting data security compliance requirements is just as critical…and difficult.
IT compliance is a specialized set of activities to ensure that an organization meets the requirements of contractual obligations and government-imposed IT regulations for the protection of data assets and processes. Failure to adequately perform this function can result in substantial fines and contractual penalties, as well as loss of business.
Risk management technology features that can help mitigate these risks include: a full audit trail of all compliance activity, including attestations; an unlimited asset register with relationships used to define location, possession, configuration, software, etc.; solutions that are fully configurable to your organization’s requirements; and reports that enable quick identification of all instances of any asset type.
Risk management technology can also assist with automatically triggering your disaster recovery plan in the event of a breach—alerting stakeholders of the event and next steps accountable individuals need to take.
Not only will a well-oiled and timely approach likely help with reputation management in such scenarios, it could help with compliance, too, as requirements are increasing globally for how data and subsequent breaches must be handled.
Adopt processes and tools that can spare your business financial peril
According to 2018 risk forecasts, Cyber security is a top concern for organizations this year. Those businesses that adopt processes and tools that can help mitigate cyber risks by enabling ongoing risk assessment, third party vendor management, and compliance and reporting are best suited to survive these often financially damaging events.