You’ve got your clients’ data locked down, but can you prove it to a regulator?

Insurance organizations may be good at protecting their own clients’ data, but can they prove it?

“In general, I would say that insurers are good at securing their data,” French Caldwell, a former advisor to the White House on cybersecurity, told Canadian Underwriter in an interview Tuesday. “What they may need to take a look at is, ‘Can you prove to others that you can?’”

Or more specifically, can they prove it to regulators?

A very active global regulatory environment around cyber means that insurance organizations will need to prove not only that they are good at protecting client data, but also that they have adequate cybersecurity in place for when an “inevitable” cyber breach occurs, Caldwell says. Caldwell is chief evangelist at MetricStream, a governance, risk, and compliance apps company based in California.

Regulators around the world have either passed — or are just about to pass — laws calling on insurance and other companies to prepare themselves for a possible data breach. Examples include:

• Canada’s new Digital Privacy Act includes regulations on mandatory data breach reporting that are due to be implemented any time.
• The U.S. National Association of Insurance Commissioners (NAIC) in the United States just passed its Insurance Data Security Model Law, which creates rules for insurers, agents and other licensed entities covering data security, investigation and notification of breach.
• And in Europe, the General Data Protection Regulation (GDPR) was approved and adopted by the EU Parliament in April 2016. The regulation will take effect in May 2018.

The regulators will be looking for more than just whether insurance organizations can protect their clients’ data, Caldwell said. “You will have a data breach, just assume it,” he said. “No matter how good you are [at protecting data], you will have a breach.”

Insurance organizations also should be shoring up their cybersecurity responses, he said. That includes asking themselves the same sorts of questions that they would be asking of their commercial cyber clients. For example:

• Are you doing regular inspections or audits of your data protection and cybersecurity processes?
• Do you have adequate programs in place to respond to requests and complaints from consumers?
• Do you have an adequate [response plan] in place to deal with an inevitable breach?
• Do you have a plan in place to identify all of the relevant regulatory authorities? And, do you have the data breach notification process in place to notify your customers?

Caldwell observed that property and casualty insurance organizations routinely provide cyber risk advice to their corporate clients. But do they practice what they preach?

“It’s the old saying about the cobbler’s children having no shoes,” he answered. “There’s a lot of validity in that statement.”