CEOs and CIOs recognize that when it comes to securing their IT infrastructure, the enterprise is only as secure as the weakest connection in its supply chain. External suppliers (vendors) present a very real potential for opening the security doors a company has so heavily invested in keeping sealed. Within the insurance environment, this could take the form of independent MGA partners delivering accounting, underwriting or claim data to the insurance company financial or administrative systems. It might entail payroll access downloads, incoming policy claim data from partnering third-party claim adjusting/processing ventures. The supply chain varies by insurance entity.
Vendor platforms are a key vulnerability factor to be considered as part of every entity’s ERM IT monitoring program. Frequently, entities focus heavily on securing IT controls within their organization, yet marginalize their oversight over the data that vendor partners are delivering into the enterprise administrative and financial systems. Granted, there are standard company firewall protections generally in place, but these are generally focused on specific incoming internet traffic.
So, how does one go about assessing their vendor vulnerability? The term used in cyber circles is triage, as in what emergency units do to sort out the most critical patients. The ultimate objective involves carefully assessing each of your vendor security positions to determine a level of risk associated with that relationship. A typical approach is through the use of surveys and questionnaires. But keep in mind, this method can be time-consuming, costly, and many times becomes a paper exercise with little teeth for comfort (a trust-me style response). A second tactic would be to locate scalable automated IT alternatives that are used to continually assess/monitor for new gaps that may appear in vendor-related platforms. Vendor management rating systems such as Upguard or Bitsight are examples of established mechanisms for continual live monitoring of vendor security ratings. Enterprise IT personnel should have such tools available as a viable alternative to monitor vendor rating activity continually. This can be done using a scalable approach that keeps costs in line with the size and complexity of the entity, and critically allows the company to monitor data residing outside the company internal network. The vendor monitoring process and results should be one critical item disclosed to the Board as part of its periodic ERM assessment process.
We reiterate to our clients, future clients and colleagues, these concepts are not just for the big boys. If you are an insurance going concern, regardless of size and complexity, keep these concepts in your ERM planning inventory.