Information security of insurance companies
Insurance companies provide services in the field of insurance protection of property interests of legal entities and individuals. In the course of their activity, they become the owners of a large amount of information that bears the nature of a trade secret or personal data. Both are protected by law. Dissemination of this information to a wide range of people can result in financial harm to the company and its customers. At the same time, insurance information is an asset of independent value. Therefore, security specialists of insurance companies are required to make significant efforts in the field of information protection.
Legal regulation of information protection in the field of insurance activities
The status of information as an object of legal protection is regulated by several federal laws. Among them are the law "On information, information technology and information protection", the Civil Code, the law "On the protection of personal data" and others.
The following information objects are generated in the activities of the insurance company:
- commercial secrets of the insurance company itself, data on its contracts, financial relationships, accounting information;
- commercial secrets of clients and partners of the organization, data on their assets, property, payments, insurance events that have occurred;
- personal data of company employees and customer employees, this information sometimes includes numbers of cars, driver's licenses, credit cards;
- medical secrets of the company's clients using voluntary health insurance services.
All arrays of information are contained both on paper and on electronic media. These data can become the object of an unlawful attempt; their safety requires the adoption of serious security measures. Unauthorized access to information protected by law is a criminal offense under article 272 of the Criminal Code.
Types of information security threats
The list of security threats includes attacks of both external and internal origin. Information databases owned by insurance companies are often targets of attacks by hackers. Client databases containing information about phone numbers, car numbers, medical records are frequent targets of criminal attacks. In a number of cases, fraudsters, using data stolen from insurers, created clone sites used to sell invalid OSAGO policies. In the United States, last year, criminals hacked into the security system of one of the largest insurance companies, and the data of hundreds of thousands of clients were in the public domain.
In addition, the risk of infection of the company's computer systems with various viruses is not excluded, which can cause significant damage in the form of:
- blocking access to important files;
- destruction of files;
- transfer of information to third parties.
The installed antivirus will not always be a reliable protection against a planned attack. In addition to the external threat of penetration into the computer networks of the insurance company, there are also internal ones. Individual employees may deliberately steal commercial information in order to distribute it or transfer it to competitors.
Information security measures and means
Information security standards in Russia are stipulated by GOSTs. In addition, the information security of the insurance company must be ensured by a whole range of measures, including:
They should all be used together. The security system should rely on the management and control of the company's personnel. Measures of a technical nature are no less important, but they cannot exist in isolation from organizational measures.
Administrative security measures
These methods of protection include the development of internal regulations to ensure that employees are informed about the system of actions necessary to ensure information security. Such documents are kept in the public domain, the insurance company should organize familiarization with them for personnel.
The security service of the insurance company develops and proposes a policy for the protection of confidential information for approval by the management. This local regulation must contain:
- basic principles of protecting confidential information in the company;
- responsibilities of each employee in terms of protecting the information entrusted to him;
- objectives of the management to ensure the protection of information;
- regulations for handling computer equipment and communications;
- measures of responsibility for violation of the provisions of the document.
In addition, a list of commercial information should be annexed to all employment contracts, and the contracts themselves should provide for measures of responsibility for its disclosure.
Organizational security measures
To a greater extent, they are aimed at eliminating the internal threat of information leakage and motivating employees to comply with approved regulations. These measures are taken by the security service in cooperation with personnel from the personnel management services.
Among the organizational measures to ensure information security are the following:
- establishment of various degrees of employee access to information containing commercial secrets;
- limiting the circle of persons who have access to confidential information of the insurance company;
- organizing the use of material media, establishing control over copying and scanning documents, limiting employees' access to external e-mail;
- conducting periodic inspections of compliance with regulations;
- attraction of specialists to conduct trainings on information security;
- measures to create a commercial secret regime;
- introducing into the contracts of the company with clients the norms concerning the obligations of the latter to observe the regime of commercial secrets in relation to the information transferred to them;
- bringing to justice those guilty of disclosing information.
Sometimes the system of working with information security requires the creation of a special unit in the company, whose functions will include only this activity.
It should also be borne in mind that when designing most information systems, the level of protection against external intrusion was significantly lower than is currently required. Among the organizational measures can be their audit, which will establish compliance with modern standards.
There are additional organizational measures to reduce losses from information leaks. For several years now, the insurers themselves have been selling such a product as insurance against information security threats. He's quite popular. Application of this protection method will help to minimize damage in case of questioning of commercial secrets.
This group of measures is designed for the use of effective technical means of protection. For its implementation, hardware, software and cryptographic tools are used.
The former presuppose the installation of backup systems and protection against unauthorized entry, the latter are responsible for the operation of antiviruses and other security programs, the third provide encryption of all information stored and transmitted over communication channels. Most often, firewalls and intrusion detection systems are used to protect information. Technical means require constant updating and modernization, since the rate of obsolescence of software products is very high. Today, programs are offered that provide comprehensive measures to protect information, these are DLP systems and SIEM systems. The first ones prevent data leakage during their transmission via e-mail channels, using instant messengers or when transferring to a printer. If the program detects the transformation of information at the time of its transmission, which may mean its interception, it stops sending it to external channels. SIEM systems are complex security management tools that identify all vulnerabilities in the system and provide information about all possible threats, identifying patterns that differ from the standard behavior of the system itself and its users.
Every day fraudsters develop new means of overcoming protective barriers, and the degree of danger of losing valuable information is growing, and with it the risk of possible financial losses. You can minimize risks by going through an audit of your security systems and receiving recommendations for their modernization.
The complex application of modern technical means in the work of the security service of an insurance company can provide a high level of information protection from leaks and unauthorized access. It should be borne in mind that all actions taken must fully comply with the requirements of Russian legislation.