Insurtech refers to applying technology and data-driven processes in the insurance industry. Insurtech can range from a chatbot that assists you with filing your claims to artificial intelligence that predicts your risk profile based on social media posts and biometric data or automated brokering platforms for acquiring insurance policies.
According to reports, the global insurance market revenue will reach 10.14 billion by 2025. You should ask the service provider these questions before you sign up for any insurtech platform. The answers are half of the battle to ensure your data is safe.
1) What is the Company’s Protocol?
When dealing with your client’s data, there should be a clear statement about how that data will be stored. Will it be stored on-premise or in the cloud? Where will it be stored? What are they doing to protect their servers from potential threats? Who is responsible for making sure that threat is mitigated?
2) What Policies Exist for Data Breach Notification?
If your confidential data is ever breached, you should be informed immediately. It’s vital that whoever holds your information has a plan in place for this eventuality. The company may even have your consent to be notified in these scenarios – if so, what are the parameters of how they must contact you?
3) How are Vendor Risks Mitigated?
All service providers have third-party components. For example, cloud-based solutions rely on data centers. How is this problem handled if there’s a failure at the data center? Insurtech businesses should be transparent about their vendors and include statements in contracts that require them to maintain up-to-date security.
4) What Data is Collected?
5) What are Their Security Measures?
There are many different security mechanisms used for data protection. Find out what kind of firewalls and encryption their servers use to protect your clients’ data.
If the insurance platform is cloud-based, there are additional protections that exist. You can ask them to tell you about their security audits and what independent agencies have given them certification is best practice.
6) Do They Have an Incident Response Plan?
If something goes wrong with your data, is there a plan in place? How is it executed? The company should provide a method for any possible scenario.
7) What is the Company’s Incident Response Procedure?
How do they handle breaches? Do they have an official group of individuals that need to approve specific steps in the process, or does it all happen automatically? How much time passes before a breach is reported, and how are clients notified?
8) What is the Company’s Policy for Breach Disclosure?
If their security measures are breached, you should know how this affects your access to the platform. Can you use it freely, or do you have limited functionality while attempting to resolve your data? How quickly can you resume business with them after a data breach is resolved? Thus, your company should provide a breach disclosure policy before signing up.
9) What Steps are Taken to Minimise the Effect of a Breach on Your Data?
How much control do you have over your stored or accessed data? Are they able to follow these procedures without your knowledge, or does client participation need to be established? Thus, your company must follow some steps for an administrative change to happen.
10) What Steps are Taken to Protect the Security of Your Data?
It’s not just about steps taken after a breach. It’s also essential to determine how secure your data is before an incident. Does your information get encrypted before leaving the company’s premises? How are passwords stored, and what encryption techniques are employed?
11) What are the Company’s Weakest Links in Terms of Security?
It’s not just about your clients’ data. You have to consider how well the company secures their information, too. Do they have a Chief Information Security Officer on staff? Ask them for proof of this designation by an independent third party.
12) Does the Company Have a Data Processing Agreement (DPA)?
A DPA is an agreement where one party provides another with data and states how it will be used. It also includes clauses describing how this information may be transferred to other parties and what security measures should be applied.
13) What Steps are Taken to Protect Data in Transit?
Any data transfer between the company and you or between your customers and them should be encrypted. You can ask about their method for verifying that this is happening with every interaction.
When transferring information to third parties (for example, when an independent agency processes complaints), the same security standards must be applied. You can check this by reading their policies and procedures and legal documents.