As an early stage or startup InsurTech, you’re highly focused on all the right things: identifying a challenge for the insurance industry, developing an innovative technical solution, making it practical and scalable, getting it funded, and implementing it. The industry for which InsurTech seeks to develop and deliver solutions is awash, however, in requirements and restrictions related to the collection, use, sharing, and protection of data. What do you need to know about the insurance industry’s privacy and cybersecurity issues that affect your InsurTech solutions?
Make Privacy and Cybersecurity your Competitive Edge
Insurers, producers and others that are potential sources of funding and potential customers for InsurTech solutions are increasingly focused on privacy and cybersecurity issues. This focus is driven by their developing legal and regulatory environment, and by their interest in mitigating privacy and cybersecurity risk. Your ability to attract interest will only improve if you display awareness of and sensitivity to these issues. Your InsurTech will stand out and enjoy a competitive edge if you have basic answers to the questions any investor or customer will ask about privacy and cybersecurity compliance and risk mitigation. Conversely, your great ideas will be undermined if you give the impression that your solution hasn’t been built with these issues in mind.
To exploit this potential competitive advantage (and avoid the risk of the uninformed), you may not need to become a privacy and cybersecurity expert, but you do need to have some understanding of the issues that will be of concern to your potential investors and customers.
The following are suggestions for turning potential privacy and cybersecurity pitfalls into a competitive advantage.
1. Know what data you collect and process. Privacy and cybersecurity issues are determined by the types of data collected and processed. Make sure you know what your designers and programmers are setting up in terms of types and methods of data collection. Privacy and cybersecurity issues turn on types of data, and you need to have, and to be able to provide, full visibility into your data collection and processing. Companies sometimes collect more data than they intended or knew about, simply because designers and programmers thought additional data sets might be useful someday, or in some future application. Know what data you’re collecting and processing.
2. Appreciate the rules of the road. There is a complex, changing, and increasingly onerous regime of privacy and cybersecurity requirements that affect the customers of InsurTech. Insurers, producers and other users of InsurTech solutions will need to make certain that your solution satisfies these requirements. Assume that any data collected and processed by your solution can be subject to these requirements. You don’t need to be expert in these requirements, but you do need to be aware of them.
Basically, depending on what laws and regulations apply, know that information that is identifiable to an individual may be subject to notice, disclosure and other requirements; limits on use and transfer; restrictions on retention; and rights of access, correction, portability and erasure. In some jurisdictions, other types of data including certain commercial data may also be restricted, and data related to military and dual use technologies can also be subject to data export and other restrictions. In addition, InsurTech customers may have contractual obligations or published policies and notices that restrict the collection, use, storage and transfer of certain data. Build your solutions with the understanding that your potential customers may not be able to use them unless they are consistent with these requirements.
3. Vet your vendors for privacy and cybersecurity. There are specific requirements for insurance companies and other licensees to manage the cybersecurity risk of their third party service providers, and to ensure that these third parties can abide by applicable limitations on the use and sharing of data. For example, the use and sharing of nonpublic personal information is generally restricted, and this data must be protected against unauthorized access, theft, loss or misuse. These requirements and restrictions must be pushed down to third party service providers, and in turn their third party service providers, who may be engaged to process the data, or to develop applications used by the licensee to process it.
In providing your solution, you may well be considered a third party service provider, or your solution may be incorporated into the systems of an insurance licensee. In either case, make sure you are considering your own service providers and their ability to comply with these restrictions and requirements. Do your due diligence, and make sure your contracts with your third party service providers anticipate your need to accommodate push-down requirements that limit access to data, provide your customers and their customers with access to their data, and their ability to correct it or require you to deliver it or erase it. And treat your cloud-based services as any other third party service for these purposes.
4. Anticipate due diligence requests. Customers and investors will send questionnaires and/or request meetings or on-site visits to vet your ability to meet their demands for privacy and cybersecurity. Template requests and questionnaires for cybersecurity have been developed and published, including by the “Big I” association for independent insurance agents. These can be used to help identify the areas where you can expect questions concerning your cybersecurity profile. Familiarity with these requests will convey your awareness and level of preparedness.
Subjects of inquiry can be expected to include your policies and procedures on privacy and cybersecurity, including your written information security program, incident response plan, training and awareness programs, and technical safeguards. Be prepared and impress your potential investors and customers with your solution by touting your privacy and cybersecurity profile as a competitive advantage.
5. Expect representations and warranties, and indemnities related to privacy and cybersecurity issues. Be prepared to respond to contractual provisions related to the privacy and cybersecurity requirements of InsurTech customers embodied in representations, warranties and indemnities in your customer contracts. Investors will need assurances as to what you’ve done about privacy and cybersecurity, because your vulnerabilities or inability to meet customer demands will affect the value of their investment. Use experienced advisors to learn what typical reps and warranties will look like, and what indemnification provisions may be expected. Consider developing your own template to offer your customers in an effort to standardize your obligations and reduce the time lag of customer contracting. Similarly, make sure your contracts with your own third party service providers will accommodate your customers’ push-down requirements.
Contractual representations and warranties typically cover compliance with applicable laws, adherence to NIST or certain other standards for cybersecurity, availability of HITRUST or other certifications, lack of certain cybersecurity incidents, notice requirements for certain events and vulnerabilities, and other related areas. Preparing a set you’re prepared to live with can at best result in your accepted representations, and at worst assist your review of the set presented to you by an investor or customer.
Following these suggestions will avoid surprises and disappointments, and position your InsurTech to use privacy and cybersecurity as a competitive advantage.