Managing Identity and Access for Insurance Catastrophe Teams
Traditionally, the insurance industry uses catastrophe (CAT) teams to respond to weather related, high-claim events such as hurricanes and tornadoes. These mobile response teams provide resources that enable the insurance company’s customers to maintain business continuity. Currently, the industry is facing a new CAT team deployment that requires a different set of claims handling skills as insurance companies rush to manage the influx of claims arising from the Coronavirus pandemic. As part of an insurance company’s data privacy and security program, it needs to consider managing access to sensitive claims information as it deploys these teams.
How are Catastrophe Teams related to the Coronavirus Pandemic?
CAT teams specifically focus on large scale disaster losses. Most often, insurance companies use them to respond to weather-related and man-created disasters. For example, CAT teams were deployed to Louisiana in the Hurricane Katrina aftermath and also used to assess insurance related claims after 9/11.
According to the Insurance Information Institute, the industry defines a catastrophe as an event where:
claims are expected to reach a certain dollar threshold, currently set at $25 million, and more than a certain number of policyholders and insurance companies are affected.
The Coronavirus Pandemic likely falls into this category. For example, insurance companies need to deal with claims under multiple business lines:
- Healthcare: for testing and hospital stays
- Commercial General Liability (CGL): lost income, business interruption, event cancellation
- Directors and Officers (D&O): potential liability for actions impacting employee health or stock prices
- First-Party Property: business interruption from contaminated buildings
- Worker’s Compensation: workers who get sick on the job
- Group Benefits: covered employees taking Family and Medical Leave Act (FMLA) time
While some policies contain exclusions related to illnesses, others may not. According to a Financial Review article, The Insurance Council of Australia declared the Coronavirus Pandemic an insurance catastrophe. Meanwhile, insurer Munich Re made a public statement on March 3, 2020:
For many lines of business (especially non-life insurance such as business interruption) it has also been common market practice to exclude the risk of a pandemic outbreak from insurance cover. Nevertheless and driven by the insurance of major events, a pandemic scenario – depending on its severity – could also lead to significant but manageable losses in property-casualty reinsurance.
Property-casualty insurance policies, despite the exclusions related to illness, may see an impact depending on the interpretation of the exclusions and policies.
In short, while no global declaration of insurance catastrophe has been made so far, the likelihood of needing to deploy CAT teams to respond to claims seems inevitable.
Why are catastrophe (CAT) teams an identity and access risk?
While some insurance companies have full-time CAT teams, others use a variety of CAT team staff, part-time use of staff from other departments, and third-party adjusters (TPA). While each organization is different, CAT teams can pose both a vendor access risk and an internal short-term “mover” identity and access risk.
Third-Party Adjusters (TPA)
As the name implies, TPAs, or independent adjusters, are claims handlers that work on behalf of an insurer but are not directly employed by the insurance company. Functionally, insurers outsource the claims-handling work then the TPA gives the insurance company the relevant information.
As part of their job, the TPA needs to:
- Review insurance policy and coverage terms
- Access policyholder name and address
- Investigate facts, liability, and damages
- Evaluate whether the policy terms cover the liability based on the facts
- Set reserves
- Pay the claim
To do this, the TPA then needs access to sensitive policyholder information such as:
- Social security number
- Bank account information
- Healthcare information
Because the insurance company does not directly employ the TPA, it needs to find a way to control the TPA’s access to systems, networks, and applications.
Another way many insurance companies manage CAT teams is by leveraging their current claims adjusters. This model gives additional internal claims handlers additional access to applications. During the Coronavirus Pandemic, for example, an insurer may see fewer auto claims and choose to give auto adjusters some of the catastrophe claims.
By doing this, the insurance company gives access to CAT team resources such as databases or claims applications. However, once the claims have been paid and cleared, the insurer needs to ensure that they revoke that additional access.
Suggestions for Mitigating CAT Team Access Risk
While insurers rush to provide their policyholders the best customer service during a CAT event, they need to make sure that their service includes data security. Protecting brand reputation means adjusting claims rapidly, making payments as soon as possible, and ensuring adequate privacy and security controls.
Set Vendor Access Management Controls
Managing vendor access appropriately means ensuring that the company can assign ownership over the vendor. The insurance company typically contracts with a claims adjuster company who then assigns an employee to work on the claim. This leads to a complex identity governance issue since the insurer may grant access to the adjuster, but technically, the TPA is not an employee or typical third-party who would be connected to the human resources system.
With that in mind, insurance companies should focus on:
- Assign access review ownership over the TPA: One of the insurance company’s employees should be responsible for the TPA’s access as if that third-party were their direct report
- Incorporate monitoring over the TPA: The TPA should be incorporated into the responsible party’s periodic certification reviews and access request reviews
- Set timebound access permissions: Before providing the TPA access to systems, networks, or software, the insurance company should set controls that automatically revoke access after a specific period of time
- Document exceptions: If the insurance company needs to extend the TPA’s access, then the reason should be documented to prove governance and provide audit documentation.
Enforce the Principle of Least Privilege with Fine-Grained Entitlements
Regardless of whether CAT team members are full-time, borrowed from other departments, or TPAs, insurance companies also need to protect themselves from potential excess access risk.
When considering controls that enforce the principle of least privilege, the company should think about:
- The applications critical to adjust CAT claims, including claims applications and payment processing
- The policyholder information critical to making claims decisions
- The payment information critical to paying a claim
For example, many insurance companies use SAP to reconcile their ledgers. Establishing fine-grained entitlements, privileges that limit access within the application beyond access to the application can help protect from both excess access.
Additionally, companies can extend the use of fine-grained entitlements to prevent financial fraud. By setting entitlements based on SAP T-Code, the insurance company can prevent accidental Segregation of Duties (SoD) violations such as adjusters having the ability to both create a policyholder account and pay the claim.
When working to secure sensitive company and policyholder information, insurance companies need to actively enforce the principle of least privilege across their on-premises, hybrid, and cloud ecosystems.
Manage the Identity Lifecycle
CAT teams that draw in adjusters from other departments need to be monitored as well. Unlike traditional “movers,” interdepartmental temporary access for CAT teams often simply grants access without being tied to the Human Resources (HR) systems. When users move within the organization, they traditionally leave one role for another. However, with CAT teams, the internal workforce members often add the CAT team claims to their own current caseload, working simultaneously in their regularly assigned department and the CAT team.
When setting processes for managing the identity lifecycle, insurance companies should consider:
- Set timebound access revocation: Even if the adjuster needs access for longer than the timebound limit, setting an automatic access revocation ensures that the user’s access is limited and does not become an excess access risk.
- Set the access as “high risk”: Considering that the access is abnormal, insurers need to consider the additional access a “high risk” that should be monitored more closely.
- Assign ownership and responsibility: Similar to the TPA issue, insurers need to establish a department head on the CAT team who responds to access requests and reviews temporary team member access as a way to prove governance.
- Continuously monitor access across peer group: If possible, the organization should ensure that all access granted to CAT team members is considered as a peer group to prevent some members from having more access than others and to limit according to the principle of least privilege.
- Set context-aware controls: Incorporating geolocation as a user attribute helps monitor for potential credential theft, particularly when CAT teams travel to talk to catastrophe victims and use public wifi to enter data.
Governance over workforce members temporarily assigned to CAT teams poses a different risk than traditional joiner/mover/leaver access. The internal workforce members have access to company and policyholder data, but the insurance company is extending that access during an emergency situation. Preventing SoD violations and limiting access to sensitive information becomes a struggle without the appropriate level of review.
Saviynt: Protecting and Monitoring Complex Access for Insurance Companies
Saviynt’s Gartner-recognized solution enables insurance companies to manage complex access needs for TPAs and temporary CAT team members. Our platform provides role-engineering that aggregates user account information into a single user ID so that insurers can prove governance over access.
Saviynt’s offerings include IGA, Application Access Governance (AAG), Data Access Governance (DAG), Infrastructure Access Governance (IAG), Cloud Privileged Access Management (Cloud PAM), and our Identity Risk Exchange. Our role-engineering capabilities use a top-down and bottom-up approach integrated with usage logs to eliminate duplicated access and provide an authoritative identity source across the ecosystem.
Our intelligent access request process creates a frictionless user experience, escalating high-risk requests for additional review and documentation while granting low-risk access automatically. Our fine-grained entitlements can drill down to SAP T-code levels, restricting access and enforcing the principle of least privilege to maintain security and privacy controls’ effectiveness.
CAT teams provide some of the most valuable customer service in the insurance industry by responding to devastating, unexpected events. As part of that customer service experience, insurers want to make sure that they include data privacy and security to keep their relationships and reputations intact.