Choosing an insurance compliance vendor - Part II - Security

Did you just hear that loud crunching noise? That was the sound of another Chief Security Officer clamping down on the security protocols of its vendors. With the unending parade of data breaches and failed expectations it's perfectly understandable.

Organizations today are no longer stand-alone operations. Businesses routinely interconnect with other businesses, outsourcing has become a strategy for many business processes, and third-party relationships are critical for success. However, with today's ever-growing threat horizon, vendor risk management should be carefully considered, particularly when data is involved.

Of course, the worst and most publicized data breaches relate to our PII (Personally Identifiable Information) allowing thieves to benefit in nefarious ways to things they should not know. The consequences have been catastrophic to some businesses, and the regulations about PII are getting tighter every year (see our recent post on the new privacy rules for European Union members).

The good news for those seeking to outsource their certificate of insurance tracking is that there are no credit cards or social security numbers that could be stolen. Nevertheless, the data is private and must be respected and protected by those to whom it is entrusted.

Increasingly, we see security audits becoming a routine component of vetting the compliance vendor prior to execution of the service contract. What began a few years ago as casual, generalized security questions has turned into formal questionnaires and on-site visits to the vendor's facilities to ensure that what is being represented is in fact true.

There are a few key things to keep in mind:

As most service providers offer some form of online platform accessible by the client, it's worth knowing how that platform is hosted and what security considerations have been put into place. Unfortunately, basic firewalls don't do the trick as there are simply too many bad actors with good skills that can pass through many of the best of them. The compliance vendor needs to use a top-grade hosting/data center company, such as those run by Amazon, Microsoft, IBM or Google. These companies employ very high levels of security controls and monitoring. A smaller outfit simply won't have the resources to handle the daily flood of probes and attacks that have become commonplace.

The platform should be periodically tested to measure how resistant it is to intrusion. "Penetration testing," as it's called, can potentially reveal weaknesses in the fortress where the walls can be breached and the bad guys let in.

The facilities of the vendor can be a target too. It's often not difficult to grab a company's IP address and poke around for soft spots. Once found, hackers can access internal networks and do serious damage, including holding up a business for ransom. (Remember, the breach of Target was caused by weak security by one of its own vendors.) The answer is to implement vulnerability scanning on a daily basis. This will detect if any software or hardware devices used by the vendor's organization have a known security weakness. Patching these weaknesses is essential to running a secure operation.

Unfortunately, cybersecurity has become a critical business issue. There is zero indication this problem is being solved, so plan for the worst and hope for the best. Be proactive, ask questions before you sign the contract and make sure you're satisfied with the answers.