© 2024 Arizent. All rights reserved.
p1ag604k971u59qqt1a08pavts6.jpg
Amica’s Chief Information Security Officer Gil Bishop doesn’t necessarily see third parties as liabilities, but his job is to fully vet the security and privacy capabilities of vendors before forging relationships. Insurers can’t “simply beef up with firewalls and intrusion detection systems and feel content we've done enough,” he explains, offering tips to ensuring sensitive data accessed by third parties is well protected.
p1ag604k978t5b1u1pkpu8i9p37.jpg

Begin With Basic Risk Assessment

Don’t limit initial discussions to IT related service, Bishop says. Remember, any vendor remote or network connectivity presents an entry point for an attack. This includes systems that may be overlooked – even HVAC or lighting controls can have online management portals.
p1ag604k9712qp11v71i3p1c101cb18.jpg

“Trust, but Verify”

Bishop says potential vendors are required to provide documentation to Amica showing they have a capable and mature information security program. These include security policies, network infrastructure diagrams, physical and logical access controls and, most importantly, findings reports from any independent information security audits or assessments.
p1ag604k9h1uij1g2j7ll195913bv9.jpg

Rely on Independent Audits

The problem with accepting a third-party validation is that the scope of the assessment must include all of the systems and processes which directly or indirectly touch Amica's information, Bishop says. Vendors may provide a valid ISO certification from their hosting provider, indicating their infrastructure is well-protected, but the provider itself may not be up to par with application-level security. An independent, respected agency should review all critical elements.
p1ag604k9hedo1eoqu9j1rkc7jea.jpg

Visit Vendor Facilities

When an acceptable independent validation report isn't available, site visits, and in-person meetings with the vendor's technical and operational IT security staff are necessary. The goal is to develop a rating on the effectiveness of the vendor’s information security program. There can’t be any doubt that Amica’s information is protected, Bishop stresses.
p1ag604k9h188k615tkfvug162db.jpg

Require Routine Updates From Vendors

It is the vendor’s responsibility to provide the insurer with current independent certification reports on an annual basis, Bishop says. At minimum, updated security reviews must be conducted whenever a contract is up for renewal. In cases involving high data volume and sensitivity, these periodic refreshes occur more frequently, he notes.
Security risk Compliance Data security