Protecting personal data. Seventy-one percent of insurers don’t believe they have the resources to detect a sophisticated cyberattack. (Photo: Shutterstock)

As Amazon, Netflix and Uber set the bar for superior digital service, insurance companies are increasingly turning to third-party platforms for FinTech payment and digital tools that transform the policyholder experience, an EY report shows. This raises strong concerns over the security of policyholder data across the continuum of service.

Sixty-four percent of insurers polled by EY say policyholders’ personal, identifiable information is the most valuable information cyberthieves seek, and nearly half have discovered “significant” cybersecurity incidents in their organization. Yet 71% of insurers don’t believe they have the resources to detect a sophisticated cyberattack. Only 11% believe their approach to cybersecurity meets the needs of their organization.

Given that insurance companies are a prime target for cyberattack, with 113 targeted breach attempts per company each year, how can companies better protect policyholder data during claim processing, when policyholder data is particularly vulnerable? There are four strategies to consider.

Step up your company’s internal education efforts. Eighty-two percent of insurers polled by EY say their company’s most common cause of attack is carelessness on the part of their employees. Use the results of your cybersecurity assessment to revamp employee education to focus on your company’s biggest vulnerabilities, such as use of the internet on work computers, opening phishing emails, and leaving sensitive policyholder information in view of visitors. With 6.4 billion fake emails sent worldwide daily, bolstering your frontline cybersecurity defense is critical.

Assess your ability to detect a cybersecurity attack. Seventy-one percent of insurers polled by EY don’t believe their company could detect a sophisticated cyberattack. Meanwhile, nearly half of insurance companies have uncovered significant cybersecurity events in their organization. As data breach risks increase, testing your company’s cybersecurity defense is vital. Contract with an outside cybersecurity firm to evaluate your company’s IT security policies and procedures, and assess your company’s physical security controls, perimeter security, and the strength of your wireless networks.

Hold third-party providers to the highest security standards. The Insurance Data Security Model Law puts responsibility on insurance companies to ensure their third-party service providers are compliant with information security standards. As more insurers are relying on third parties for digital transactions, payment processing and more, companies must be vigilant about verifying the strength of their service partners’ cybersecurity measures.

To ensure policyholder data is protected, look for third-party providers that demonstrate their commitment to data security by maintaining the following credentials, in addition to being HIPAA-compliant:

  • Payment Card Industry (PCI) Security Standards certification, which supports protection for sensitive payment card information
  • Service Organization Control (SOC) 1 and 2 compliance, with SOC 1 focusing on financial audit controls and SOC 2 centering on operations and compliance controls
  • NACHA Certified, a voluntary accreditation program for third-party senders and those that send automated clearinghouse (ACH) payments

Evaluate your business continuity and disaster recovery strategy. In the event of a disaster, how could your company be sure it would maintain access to policyholder data? It’s important to assess how often data is backed up; where backup servers exist; and whether your company and your service providers have invested in a cloud-based solution for data backup. If a cloud-based solution is used, check to see whether a service disruption test has been performed to gauge the effectiveness of the solution’s response.

Taking these four steps will better position your company to protect sensitive policyholder data during claims processing and beyond.

Jeffrey W. Brown ( is president of VPay, a claim payments platform focused on the property and casualty, workers’ compensation, healthcare and warranty industries.

To learn more about how to better protect your company’s data, join us at the America’s Claims Executive Leadership Forum & Expo in Las Vegas, Nevada on June 24-26.