As insurers, agencies, producers and service companies seek to become more efficient and competitive in the InsurTech marketplace, offering mobile apps seems to be one obvious solution.  

By employing mobile apps, digitally savvy individuals can apply for coverage while having their morning coffee, policyholders can pay premiums and file claims from the break room and insurers can promote loss prevention practices and claims adjustment with a series of clicks anywhere. 

The convenience and efficiency of doing insurance business using mobile apps – whether by the policyholder, producer, carrier or other persons – does not come without risks. 

Regulated persons (insurers, agencies and producers alike) should establish a vetting process in order to mitigate regulatory and security risks inherent in employing all technologies and particularly mobile apps. To assist this process, the National Institute of Standards and Technology has established step-by-step recommendations to augment data security generally, see the NIST cybersecurity standards. Similarly, the National Association of Insurance Commissioner’s recently released its Insurance Data Security Model Law.

Implementing Mobile Technology

When adopting a new technology, organizations should analyze the potential security impact that technology may have on information security resources, on data, and on policyholders. 

Unlike a desktop computer system, where software exists within a tightly controlled environment that is uniform throughout the organization, mobile apps pose unique security challenges. They cull personal information from physical sensor data, personal health metrics, pictures and video, to a much higher and more precise degree than desktop systems. Mobile devices also have a wider variety of network services than traditional enterprise applications, like Wi-Fi, 2G/3G and 4G/LTE in addition to short-range data connectivity options like Bluetooth and Near Field Communications. All of these mechanisms for data transmission can be vectors for hackers.

Meeting Regulatory Requirements

Although not yet effective, when adopted, the NAIC Data Security Model Law will require all persons regulated by adopting state insurance departments to establish standards for data security that will be applicable to data utilized on all forms of technology, including mobile devices. The Data Security Model Law will require, among other things, that licensees:

• Provide safeguards for the protection of nonpublic data.
• Assess reasonably foreseeable, internal or external threats to access or misuse of data and the sufficiency of safeguards against such threats.
• Include cybersecurity risks in the organization’s enterprise risk management process.
• Provide cybersecurity awareness training based on the organization’s risk assessment.

In concert with ensuring compliance with state regulation of data security, organizations doing insurance business through mobile apps must also ensure such mobile processes and use of data meet standard regulatory compliance requirements, such as:

• Preserving compliance with distribution, pricing, policy forms, and satisfaction with other relevant regulatory requirements.
• Maintaining evidence of compliance for regulatory audits and examinations.

Analyzing Risk v. Reward

An app that is critical to the organization’s business processes or that will be made available to customers/policyholders or the general public must be vetted more thoroughly, since the repercussions from a security breach are much higher than with apps of more limited use. Critical steps include:

• Acknowledging the risks inherent in the utilization of the app.
• Understanding the variation of risk for mobile apps that interact with the organization’s system-wide desktop software versus those that are used only on mobile devices.
• Recognizing the value of testing apps internally before rolling out for organization-wide, targeted or public distribution.