Insurance
Emerging industry demands are pressuring insurers to continue cutting costs while improving business outcomes, such as profitability, revenue growth and underwriting quality. This requires stronger use of technology, process re-engineering and alternate options, such as various sourcing alternatives. According to a survey by Deloitte, fully half of the insurance executives responding to the survey cite 'regulation' as one of the top influences on profits over the next three to five years. Within regulation, seven out of 10 respondents say the implementation cost of compliance will have the greatest impact on profits. Over half (56%) see the risk of noncompliance as a major concern, and 31% cite finding and training the right people as an issue.
For leading insurers trying to get a handle on IT risk and compliance, the key questions are:
- The IT Governance, Risk and Compliance process: Do we have one?
- Quality: Are we obtaining reliable results?
- Cycle Time: How long does it take to get reports?
- Cost: How much is it costing us?
- Resiliency: Can the process adapt to change?
The Challenge
The insurance industry faces tremendous scrutiny by state, national and international regulatory bodies, particularly in light of major catastrophes like the Katrina hurricane along the Gulf coast and its impact on the public and shareholder trust in the industry. In general, regulations and mandates aim to ensure the integrity of financial reporting information and the privacy and protection of personal information stored and transmitted in insurance enterprise information systems.
It's quite the challenge to know where this data is stored and what controls are already in place to protect it. On top of that, ongoing risk assessments require that those controls be tested routinely. The challenge is further compounded by the complexity of the organizations in terms of the geographic distribution of offices, data centers and business units, the state of ongoing mergers and acquisitions, and the data-intensive business processes. And finally, add to the mix the hundreds - even thousands - of affiliated agencies typically utilized by these enterprises to deliver services to their customers. It's easy to understand how an organization's visibility into its risk posture gets clouded.
Key IT-related risk and compliance regulations that insurers must comply with include:
- SOX 404 (Sarbanes-Oxley Act, section 404) – requires publicly traded companies to protect the integrity of financial reporting information
- HIPAA (Health Insurance Portability and Accountability Act) – requires the protection of personal health information (PHI) stored in insurance provider networks
- PCI DSS (Payment Card Industry Data Security Standard) – ensures ongoing risk assessments to protect personal credit card data
- Gramm-Leach-Bliley Act (GLBA) – requires protection of consumer information
- California SB 1386 – also requiring protection of personal information, this law is on track to become a federal law
- EU Data Protection Directive – requires protection of personal information for businesses operating in EU countries
- Basel II – requires operational risk plans in relation to information security threats and related controls.
The Solution
AAgiliance IT-GRC 3.0 provides insurance enterprises with the ability to:
- Establish a resilient IT-GRC business process providing a holistic, real time view into risk and compliance across the enterprise, including partners and vendors
- Implement a robust operational IT risk program including conducting eSurveys throughout the organization, developing key risk indicators for IT, and assessing threats using COSO and AS/NZ 3460 standard methodologies
- Demonstrate continuous multi-regulatory compliance with a “test once, comply with many” capability dramatically reducing the cost, quality and cycle time of testing and reporting
- Integrate and automate technical controls by leveraging existing IT investments in security and change management systems by taking in data from vulnerability scanners, CMDBs, IdM systems, Segregation of Duty systems, and other systems, to automatically generate reports, drill down to critical controls, and establish priorities based on areas with the highest risk
- Migrate over time to standard control frameworks such as ISO 17799/27001, CobiT, NIST and FFIEC
- Create enforceable policies and monitor controls across functional and geographical boundaries
- Create enforceable policies and monitor controls across functional and geographical boundaries.