The global insurance industry, with worldwide premiums over $4.6 trillion and an asset base above $26.8 trillion, plays a vital role in managing global financial risk and safeguarding individual and business interests. Insurance companies collect, use, and store an enormous quantity of financial, health and medical information. This has let them, as well as regulatory agencies, to focus on establishing effective information security and privacy programs.
Insurance companies face a challenging risk landscape. As they launch innovative solutions and streamline operations, they increasingly face the risks involved with mobility, cloud computing, application platform integration, compliance management, and more.
With data breaches, fines, and litigation often the day’s top news headlines, data security is also of growing concern for insurers. Many insurance companies worry about managing:
- Risk – assessing, evaluating and mitigating financial, operational and information security risks.
- Compliance – complying with regulations and standards (e.g., GLBA, SOX, HIPAA) and minimizing financial penalties.
- Privacy – safeguarding customer identities against identity theft
- Data protection – protecting sensitive financial information and health information, and maintaining data integrity.
- Identities – managing identities and access across varied applications, ensuring segregation of duties using role engineering, and integrating identities across the old and the new systems.
- Vulnerabilities – detecting and managing application, network, and system/device vulnerabilities.
- Incidents – detecting, preventing, and responding to information security incidents.
- Vendor risk – managing and exchanging information with multiple vendors and suppliers.
- Risk and Compliance Management – We help our insurance clients design, develop and manage security programs, including GRC frameworks; and automate GRC frameworks using RSA Archer. We can also assist with managing vendor risks and complying with legal and regulatory requirements such as privacy requirements, ISO27001, SOX, HIPAA, and GLBA. Read more.
- Identity and Access Management – We help our clients develop enterprise-wide identity and access management programs; engineer roles and manage entitlements; implement enterprise access management solutions (web access management, single sign on, converged access control); and optimize their existing IAM implementations.Read more.
- Data Protection – We protect our clients’ data by helping them identify and classify sensitive data, protect both unstructured and structured data and manage data leak incidents. Read more.
- Threat Management – We help insurance companies identify and manage threats using our vulnerability management lifecycle framework. We can assess and mitigate advanced persistent threats and evaluate people behavior risks using our Phishnix solution.Read more.
- Security Intelligence – We work with our customers to provide actionable intelligence to support security decisions by collating, analyzing, correlating and visualizing security events and logs from diverse IT systems and applications. Read more.
- Cloud Security – We provide strategic information security advisory services for cloud computing environments, and enable our clients to build and secure cloud applications, and establish processes for effective cloud technology utilization.Read more.
We assist our insurance clients in effectively protecting their data, managing security incidents and vulnerabilities, and in implementing information security risk and compliance programs.
Our risk and compliance services cover the entire information security landscape and include:
- An integrated governance, risk and compliance (GRC) management approach that allows our clients to build a system that integrates all the compliance requirements, minimizing audit fatigue.
- A compliance readiness assessment plus assistance with readiness efforts. Our Compliance Manager solution helps our clients automate self-assessments.
- IT GRC automation using RSA Archer eGRC Suite. We support our customers through the lifecycle of blueprinting and deploying the solution, integrating it with processes and systems, and then managing it. Learn more about our risk and compliance management services.
- Strategy and design – We evaluate client needs via executive workshops and field assessments and then provide a detailed strategy and roadmap for implementing enterprise-wide IAM initiatives. We also assist our clients with business case analysis, technology evaluation, and solution architecture.
- Role engineering and entitlement management – We help our clients define roles and manage entitlements to ensure employees have only the access that is required to do their job effectively and only for as long as they do that job. Policy-based dynamic controls allow for automating who can have access to what, at what time, and in what context.
- Access Management – We help our customers in implementing complete solutions for enterprise access management, including web access management, single sign on, and converged access control.
- Sustenance and optimization – As an end-to-end solution provider, our support is available to sustain and optimize our clients’ IAM solutions. Identity access management is never static; systems need to evolve with enhancements and upgrades.
The insurance industry is heavily dependent on data, so protecting it is of prime importance. Most of the data handled by the industry is heavily regulated and data breaches can result in litigation or hefty fines.
Our data protection service helps our insurance clients identify and classify sensitive data as it is stored, processed and transported across the organization. We help our clients:
- Establish a data protection framework and strategy that governs the management of sensitive data such as customer and health information, payment card data, strategic and intellectual property information, etc.
- Conduct a data flow assessment (DFA) to identify where and how sensitive data is stored and used. We also conduct data leakage risk assessments (DLRA) to identify breach vectors and the risk of potential breaches.
- Integrate popular data protection technologies such as data leakage prevention (DLP), database activity monitoring (DAM), information rights management (IRM), data encryption, tokenization and masking/redaction technologies.
- Monitor their data protection technologies to identify potential data breach incidents, manage consequences, improve effectiveness by fine-tuning rule bases, and moving rules to active protection from passive monitoring.
Working with Aujas, insurers can assess and secure their infrastructures, and web and mobile applications. Our application security services include:
- Helping our clients design, develop and manage vulnerability management programs. These programs leverage threat intelligence to anticipate and proactively mitigate vulnerabilities.
- Assessing the company’s infrastructure, application, and mobile application security by conducting vulnerability assessments, penetration testing and code reviews. We don’t simply stop at scanning technology; we also help you mitigate the risks found.
- Assisting our customers in mitigating advanced persistent threats with our APT risk mitigation service.
- Evaluating human behavior using our cloud-based Phishnix. This application not only assesses how susceptible people are to phishing attacks, it also trains them to avoid attacks.
The insurance industry is another favorite target for hackers. Many, if not most, insurance companies deploy a technologies such as traditional SIEM, the newer security analytics engines, exfiltration detection, advanced malware detection, and data leakage prevention. Aujas helps insurers get the most out of these technologies:
- We establish a more responsive incident management program for our clients by incorporating proactive and reactive processes. We enable our clients to define Indicators of Compromise (IoC), work with threat intelligence and use it with their threat management program.
- We use our Correlation Library to provide accelerated rules deployment for various SIEM/SA/SI technology providers.
- We help security leaders see through the reporting fog and focus on what is critical with our analytics and visualization solution for SIEM/SA.
- We design custom SIEM/SA solutions that go beyond the traditional security event analytics and integrate analysis and correlation to solve other issues such as identity fraud. Learn more about our security intelligence services.
Cloud computing is a fast growing technology and cloud-based business applications are growing at a rapid pace.
Insurance companies, however, are entering the cloud cautiously. Before moving to the cloud, insurers must consider data confidentiality, security, regulatory compliance, interoperability of standards, and service quality.
We help our Insurance clients enter the cloud with the confidence that their information security is designed to meet stringent insurance standards and comply with industry regulations. We offer:
- Cloud security advisory – We assist organizations in establishing effective cloud security governance, operations strategies, and tactical processes.
- Secure cloud applications – We build the cloud application and the ecosystem around the core platform so that cloud applications are easy to use and secure.
- Secure release – Cloud security is not a one step process; it requires constant innovation across various business needs. Our secure release program for the cloud adopts new and proven approaches and technologies to help secure applications with less user intervention. Learn more about our cloud security services.
Our Methodology Provides the Insurance for an Effective DLP Implementation
Information security was a big concern for large insurance company, which had units specializing in auto, health, and property and casualty insurance. To safeguard information and meet regulatory compliance requirements, the company had implemented ISO27001:2005 controls and achieved certification for compliance.Download case study
On Demand Security Assessment for Leading General Insurance Company
A leading general insurance company operated 59 branches and offers competitive products including car and two-wheeler insurance, and health and critical illness coverage.
This insurer was known for its online presence and for frequently launching new products and innovative services. They built and deployed applications with short development and release cycles and needed to be assured that the security aspects of these applications were covered.Download case study