Insurance

Access Risk Management for Insurance

Access Risk Management for Insurance

Insurance companies, like many other types of financial institutions, have historically been subjected to relatively strict government oversight. These historic conditions have led the insurance industry to create mature, well-established security programs in comparison to other industries. However, not all insurance companies are equipped to comply with the changing technological and regulatory environment and face a number of specific challenges when it comes to managing risk and protecting the information they collect and use.

Courion in Insurance

The widespread use of newer technologies has made information sharing within an organization and between organizations more common and more fluid, but also more vulnerable. Technology in the Insurance sector, as in many others, is shifting from closed, proprietary systems to open, flexible systems that allow greater and more meaningful interaction with the customer, headquarters, and business partners providing a range of back-office functions. The introduction of innovative technologies such as wireless networking, cloud-based applications, customer kiosks, mobile devices, etc. carries with it greater security risk, since the complexity of these systems and the various ways they interact introduces more potential opportunities for unauthorized access.

Security Models

The complex nature of these systems is exacerbated by the lack of accepted access and authentication standards, which forces both commercial and in-house system developers to create their own internal security model for creating and managing access rights.

Regulatory Requirements

Insurers collect, store and transmit vast amounts of nonpublic personal information (NPI) and are at increased risk of being targeted for fraudulent activity. Therefore, sound and reliable protection of data and personal identities is crucial.

A data breach can lead to loss of trust by consumers, partners and other stakeholders, in addition to considerable legal and financial liabilities.  IT security controls can help insurance companies enhance and demonstrate their compliance with legal and other regulatory requirements, such as the Gramm–Leach–Bliley Act (GLBA), Payment Card Industry Data Security Standards (PCI DSS) or state data security breach laws etc.

What many of these requirements have in common is the mandate to establish a security plan, processes and procedures that enable financial institutions to ensure that only the right people have the right access to the right resources and are doing the right things with it.

For example, in GLBA, the US Congress mandated that, “…each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.” To enforce this mandate, Congress directed various regulators to establish appropriate standards to:

  • Insure the security and confidentiality of customer records and information;
  • Protect against any anticipated threats or hazards to the security or integrity of such records; and
  • Protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

Accordingly, various agencies have published regulations and standards for safeguarding NPI, such as "Standards for Safeguarding Customer Information" from the Federal Trade Commission (FTC). The accounting industry published “Statement on Auditing Standards No.70” (SAS 70), which is an internationally recognized auditing standard used to report on operational controls placed in support of the GLBA Safeguard Rule.

The insurance industry, in particular, is subject to the Model Audit Rule (MAR), published by the National Association of Insurance Commissioners (NAIC). Similar to Sarbanes-Oxley (which public insurance companies are required to comply with), MAR requires private insurance companies to implement internal controls that protect financial reporting systems from unauthorized access. The controls are designed to ensure that the financial results reported by the insurance company represent a fair and accurate picture of the organization’s financial status. In order to comply with MAR or SOX, the insurance company must be able to certify and attest that only authorized personnel have access to key financial applications.

Courion helps financial institutions to meet the requirements of GLBA, the Safeguard Rule, SAS 70, MAR, SOX and other regulatory requirements through these features:

Regulatory Requirement

Courion Solution

Maintain and enforce a policy that addresses information security.

Courion enforces corporate information security policies, such as:

  • Access request authorization
  • User entitlements
  • Password security, strength and reuse
  • Enforcing compliance with security guidelines or gov’t regulations
  • Terminating ex-employee access rights, etc.

Adjust information security programs in light of material changes to the business that may affect safeguards.

Material changes that can affect a security program include changes in technology or changes to operations or business arrangements, such as mergers and acquisitions, alliances and joint ventures, or outsourcing arrangements.  Courion’s flexible and fully integrated identity and access management solutions enable organizations to quickly and easily update user access rights to meet changing business conditions, such as a merger or reorganization.

Assign a unique ID to each person with computer access to NPI.

Courion creates a unique account for each user with access to NPI, including a unique user ID, password and set of access rights for that individual. Courion also supports multi-factor authentication products, such as security tokens. This ensures that only authorized individuals can access NPI.

Restrict access to customers' NPI to the minimum level necessary for the business.

Courion enforces least privilege access, detection of SoD violations and other access rights based on role definition or other business need-to-know requirements.

Block access when employees leave or are terminated

Courion automatically disables or deletes user accounts on any designated target system containing NPI as the result of a change in employee status, such as termination of employment.

Track and monitor all access to IT resources containing NPI.

Integration with leading security and incident management (SIEM) solutions enables managers to review access to customer data and other information assets, and remediate inappropriate access.

Routinely test and verify user access rights, security systems and processes.

Courion enables security, IT administrators and line of business managers to review and certify user access rights. Roles can be periodically reviewed for accuracy, as well. Courion can also enforce end user policy awareness training and block access to users who fail to pass or complete the program.

Access Risk Management Solution

To meet these requirements, insurance companies require a solution that enables them to:

  • Control access by employees, agents, business partners, and others to applications and IT assets containing sensitive customer information
  • Verify the proper use of that access
  • Safeguard sensitive data from unauthorized access
  • Demonstrate compliance with industry-specific regulations, such as MAR or GLBA
  • Protect the organization’s brand and reputation.

Courion’s Access Risk Management solutions—deployed at some of the largest, most prestigious insurance companies in the world—enables customers to improve the security of sensitive data, reduce IT overhead expenses, accelerate core business processes by making make it much easier for personnel to manage their own identities, and enable managers to respond to regulatory demands for compliance data.

Some of the Access Risk Management Suite features that insurance companies rely on include:

Manage Employee Access Rights: Insurance organizations must often cope with providing new employees with access to the systems they require to be productive on Day One, and automatically removing their access when they leave the organization. They use Courion’s RoleCourier solution to manage the role definition process, which ensures that users within a particular role – such as an agent or underwriter– only have the access rights they require to be productive. AccountCourier then automates the process of account creation and termination, using either pre-defined roles, or enforcing the existing access request and authorization process your organization uses. These solutions ensure that users have the appropriate access rights, prevent separation of duties violations, and significantly reduce the time, effort and cost of managing employee access rights.

Enforce access to restricted data: a key requirement of both MAR and SOX is the enforcement of access rights to financial systems. Courion’s AccountCourier solution enforces access policy and entitlements by ensuring that only authorized employees have access to regulated financial applications, such as accounts payable/receivable or billing. Courion also enforces access rights to systems containing customer or employee personally identifiable information, which could result in identity theft if breached.

Eliminate Zombie Accounts: Courion’s automated IdentityMap process locates user accounts on internal systems and associates those accounts with a known individual identified in a designated system of record, such as an enterprise HR application. The initial IdentityMap scan can identify and resolve zombie accounts, which are accounts associated with someone who is no longer with the organization. Subsequent IdentityMap scans may reveal previously unknown accounts, which may indicate an attack. Courion can then alert the appropriate personnel to take remedial action.

Access Certification, Re-certification and Attestation: Courion ComplianceCourier is used by line-of-business managers, compliance officers, security professionals, or IT administrators to review access rights of users they supervise and certify that access complies with policy. When a user’s access rights are out of compliance with internal policy or industry regulations, ComplianceCourier provides a range of options to change, disable or delete inappropriate access rights. Audit tracking capabilities also make compliance reporting and analysis faster, easier and cheaper.

Protect Sensitive Data: Courion’s Sensitive Data Manager module works in conjunction with industry-leading data loss prevention (DLP) technologies to verify that access is not being misused to cover up illegal or unethical activities. According to the Verizon Business 2009 Data Breach Investigations Report, 67 percent of breached records were in locations that the organization wasn’t aware of. Integration with DLP technologies enables your organization to find sensitive data, identify who has access to that data, determine how they obtained that access, and change, disable or delete access that is inconsistent with the individual’s business role.

Identify Suspicious Activity: Courion’s User Activity Manager module leverages leading security incident and event management (SIEM) technologies to perform deep analysis of prior user activity. Integration with SIEM technologies enables you to identify patterns of suspicious behavior – after-hours access, large data downloads, access from a previously unknown account, etc. – captured in system log files, and combine that data with information concerning the user engaged in that behavior, such as name, role, title, department, manager, location, etc. You can then determine if the individual’s behavior is consistent with the needs of the business, and take the appropriate steps to terminate access to key applications if it is not.

Secure Passwords: Courion’s PasswordCourier reduces potential access vulnerabilities by enforcing strong password policies, while also dramatically reducing costs associated with help desk calls because of its secure self-service password reset capability. Transparent synchronization technology allows users to use the same username/password combination for all systems, reducing the likelihood that they will be tempted to write down their credentials and post it to their terminal.

Benefits

Courion solutions allow insurance organizations to:

  • Improve productivity: Create accounts for new employees or agents quickly and easily, giving them immediate access to mission-critical business applications, while ensuring they have the minimum access to sensitive data required for their jobs.
  • Respond to change: Dynamically adjust access rights as employees change roles due to transfers, promotions, demotions or reorganizations.
  • Eliminate zombie accounts: Automatically suspend or discontinue access when employees are terminated or an agent's relationship with the firm ends.
  • Reduce costs: Enable users to securely reset a forgotten or expired password from their PC, using a web browser, or via a telephone, without having to call the help desk. Provisioning solutions reduce the personnel and overhead costs associated with creating, managing and terminating user access to a wide variety of internal systems. Allow business managers to respond to internal and external audit requests faster and with less effort.
  • Demonstrate compliance: Quickly and easily attest that employees have access rights that are consistent with organization policy, Sarbanes-Oxley, MAR, PCI DSS, and other relevant industry or government requirements.