Authors: Tigran Karsian and Dana Pagliarulo, PMP, PMI-ACP
Data security has always been essential, but recent spikes in ransomware and public data dumps of sensitive information are a rising threat. Failure to control data can expose insurers to stiff penalties from regulators, compromise a company’s hard-earned reputation, or stop business in its tracks.
Unfortunately, securing internal systems is only half the battle. Most insurance companies partner with third-party providers for various business operations. Failure on their part to uphold high information security standards could cost your company dearly.
Security risks come in many forms, some more obvious than others. Accidental exposure of protected data, phishing, and other social engineering attacks, malicious and non-malicious insider attacks, ransomware, and data loss during a cloud transition are all ways sensitive company data could become compromised.
According to the Ponemon Institute, the average cost of a data breach in the United States in 2020 was $8.6 million. But data breaches do more than cost money—they have the potential to do major damage to a company’s reputation, workflow, and morale.
At Perr&Knight, “data security” is more than a talking point. It’s an essential part of how we provide superior service to our clients. Here are some of the ways we elevate the standard for data security to defend our clients.
Our SOC 2 type 2 certification shows our clients we have established clear protocols for protecting their data and we continually live up to our own high standards.
Developed by the American Institute of CPAs (AICPA), SOC 2 outlines criteria for managing customer data based on five “trust service principles”: security, availability, processing integrity, confidentiality, and privacy.
Type 2 certification is an internal controls report capturing how we safeguard customer data and how well our controls operate in practice. SOC 2 type 2 certification requires outlining all our data security processes, including data storage, log-in access, credentialing processes, data transfer protocols, and more. Our SOC 2 reporting process covers all internal policies as well as how we manage data in our proprietary insurance support software, including StateFilings.com, StatReporter, and License Reporter.
We then produce documentation verifying we have achieved these standards upon annual audit, conducted by a qualified third party. In contrast to SOC 2 type 1 reporting which is only done once, type 2 requires annual review.
Our network is protected by Crowdstrike, an industry leader in monitoring and blocking malicious actors. Unlike automated or semi-automated systems, Crowdstrike’s service agreement includes monitoring by experienced network operation center (NOC) analysts. This is significant because humans are better able to distinguish traffic anomalies than software-only solutions, reducing the risk of a threat slipping through the cracks.
A network is only as strong as its ability to withstand attack—and it’s impossible to tell how network security will hold up unless an attack takes place. We proactively attempt to penetrate our own network defenses to reveal vulnerabilities before we find ourselves in a real-world data security emergency.
Working with Trustwave for network penetration testing and Elliot Davis for application penetration testing, we attempt to “hack” our own system on two fronts: from outside the organization and within the company. Separation of sensitive systems ensures data is partitioned and protected should a breach ever occur in one aspect of the organization.
By “pen testing” our applications, such as our industry-leading StateFilings.com app, we ensure our entire suite of technologies is robust enough to withstand brute force attacks or any other attempts to gain unauthorized access.
During decades of serving insurance companies of all sizes in all lines of business, Perr&Knight has worked with every type of organization, from newly-minted InsurTech start-ups to carriers with long histories. Each of these organizations has a different type and depth of data security needs.
In fact, top 10 insurance client security audits are often more intense than even SOC 2 type 2 audits, but Perr&Knight passes with flying colors every time. In many ways, our clients’ questionnaires mimic SOC 2 audits. As a result, we continually re-evaluate our security processes, adjusting our policies to ensure we stay ahead of our clients’ requirements.
Perr&Knight dedicates extensive resources to data security and ensuring we live up to our own high standards. Our clients trust us with their data and we take that responsibility seriously. Other companies may do the bare minimum, which is technically sufficient, but the disaster resulting from a breach makes cutting corners unacceptable. We invest heavily in maintaining strict processes and top-tier technology, but no price is too high for peace of mind.