Follow Us



Preventing Data Breaches

Like businesses in most industries today, insurance organizations are facing an unusually high level of uncertainty due to circumstances beyond their control. While our nation currently faces the reality of COVID-19, which has wreaked havoc on the U.S. economy, businesses in every industry need to focus on ways to remain viable.

Certainly, when you outsource the production and delivery of your policyholder communications to a third party, it is important to ensure the provider has the resources and staffing required to manage your work. However, to help you sleep at night, today the most critical thing to ascertain is what security measures they have in place to protect the privacy of the data included in your billing notices, policies, quotes, EOBs, and other communications.

Data breaches have become an unfortunate reality of doing business, with the number of reported breaches increasing by more than 50% in 2019 compared to the previous year. As an industry that processes large amounts of private data, insurance is a prime target for criminal enterprises and malicious insiders. The risk of exposure is even greater for enterprises that outsource their electronic document processing, billing and distribution solutions to a third-party provider. With more U.S. states enacting tighter data breach legislation, prioritizing data security is imperative for insurers, particularly those that outsource documents.

Five security measures you should look for

It is no longer enough that a potential service provider can show written policies and procedures; there must also be evidence and technical solutions in place to support those policies. A robust and mature security program is the best way to head off data breaches and to minimize exposure once they occur. Here are the top five security measures you should look for when outsourcing the management of your company’s transactional documents, along with some guidance on how best to validate your provider’s security program.

1. The restriction and monitoring of access to secure areas and information systems

The third-party provider you use should provide evidence that they secure areas that house information systems with physical barriers, locked entrances and authorized access monitored through an alarm system, CCTV, and other measures. Monitoring system activity is equally important. Make sure your third-party provider has a system for aggregating and reviewing logs that includes a qualified, dedicated team to configure software to log activity, periodically validate those configurations and conduct regular log reviews. If the provider leases data center or IT assets from a “fourth-party” company, these controls should also be used by those providers.

2. The technical safeguards in place to protect information systems

Implementing technical safeguards and controls to prevent unauthorized access to company networks and electronic transactions is critical when evaluating a service provider, as well as verifying that they protect all servers with a well-rated hardware firewall and employ an intrusion detection system (IDS). A layered, well-documented network and computer security system should also include strong encryption of data in all phases of production. Remember, in data security, technical controls are always preferable to written policies.

3. A comprehensive contingency and incident response program

Even with the best precautions, emergencies and incidents are inevitable. All of your providers should have well-developed contingency and incident response plans to share with you that include a clearly identified chain of command, defined procedures for handling a variety of scenarios and a redundant IT infrastructure. The plans should be tested at least annually and team members should receive regular training on their assigned roles and responsibilities.

4. Regular risk assessments and up-to-date risk management plans

It is critical that service providers handling your policyholder communications have a solid plan in place to identify and respond to external and internal threats and vulnerabilities in their information systems and physical facilities. The plan should be updated no less than once a year, and more frequently if they’ve made significant changes to their technology or operations. The plan needs to assign probabilities and impacts of each risk, and include specific ways these risks are mitigated.

5. Biller authentication and non-repudiation of bills

While many of the measures I’ve discussed protect the back end of processing, it’s just as important to assure customers that their data is intact on the front end. Ask about additional enhancements like biller authentication and non-repudiation of bills. These measures make sure only authorized parties access consumer data and authenticate the validity of requests for payment.

Check for the proper certifications

Evaluating a third-party provider’s security program has many variables. While many data security and privacy laws establish requirements for safeguarding personal information, they give organizations a lot of latitude in how they implement those requirements. This means the quality of security programs can vary widely. Certification of a recognized security framework ensures that the organization complies with a standardized set of controls validated by an independent third party.

Some of the most rigorous and recognized frameworks and regulations include HITRUST CSF, NIST 800-53, IRS Pub 1075,  ISO 27001, SSAE-18, PCI DSS (for payment processing), and Sarbanes Oxley.

  • The HITRUST CSF is a certifiable framework for regulatory compliance and risk management. It Includes, harmonizes, and cross-references existing, globally recognized standards, regulations, and business requirements, including ISO, EU GDPR, NIST, and PCI.
  • NIST 800-53 is the regulatory standard for security and privacy controls developed and maintained by the U.S. National Institute of Standards and Technology. It is intended to heighten the security of information systems used by the federal government, and applied to all systems that store, process or transmit federal information. The law requiring this certification is the Federal Information Security Management Act (FISMA).
  • ISO 27001 is often referred to as the gold standard for security certifications and is internationally recognized, making it particularly useful for organizations that process Personally Identifiable Information (PII) outside the U.S. Developed by the International Organization for Standardization, ISO 27001 requires organizations to demonstrate they have implemented an information security management system in addition to several controls governing the security of IT systems and data.
  • SSAE-18 was developed by the American Institute of Certified Public Accountants (AICPA) and requires organizations to comply with Trust Service Principles modeled on four broad areas: policies, communications, procedures and monitoring. Organizations demonstrate compliance through three Service Organization Control (SOC) reports: SOC 1, SOC 2 and SOC 3 (for ecommerce systems). Like ISO 27001, SSAE-18 has widespread recognition across multiple industries.
  • PCI DSS is a globally instituted security standard for all merchants and service providers that accept credit card information. The latest PCI-DSS standard is version 3.2.1. You should ensure that payment-capable providers are assessed and compliant under the Level 1 merchant standard, which requires an on-site third-party assessor.
  • Last but not least, Sarbanes Oxley addresses security requirements for all corporate accounting controls mandated by U.S. federal law.

With data breaches on the rise, insurers must take steps to validate not only their own security practices, but also those of any third-party providers to whom they outsource the processing policyholder communications and payments. Doing due diligence when outsourcing your transactional documents will give you—and your customers—the assurance that all steps have been taken to protect private information.



Featured articles

Clear Lync MR



The Email Chat is a regular feature of the ITA Pro magazine and website. We send a series of questions to an insurance IT leader in search of thought-provoking responses on important issues facing the insurance industry.


April 5th – 7th, 2020
The Diplomat Resort
Hollywood, FL
Become a member today to receive updates –


only online

Only Online Archive

ITA Pro Buyers' Guide

Vendor Views

Partner News