Data is one of the most valuable assets insurers hold. Now more than ever, the way data is used and protected is at the forefront of consumer’s minds.
Regulations for data protection are quickly catching up with consumer concerns, as the proposed APRA Prudential Standard CPS 234 for Information Security Management shows.
For the insurance industry, it’s never been more important to re-evaluate the way data flows in and out of your organisation.
How does the APRA Prudential Standard CPS 234 relate to data governance?
In March 2018 APRA released the draft Prudential Standard CPS 234 that, “aims to ensure that an APRA-regulated entity takes measures to be resilient against information security incidents (including cyberattacks) by maintaining an information security capability that is commensurate with information security vulnerabilities and threats.”
But what does this mean for data use and exchange? CPS 234 addresses a major concern APRA has around systematic approaches to data governance and information asset management.
Preparing for compliance
In order to be compliant, an APRA regulated entity must adhere to the key requirements outlined in the proposed Prudential Standard:
- Cleary define the related roles and responsibilities. This includes the Board, senior management, governing bodies and individuals
- Maintain information security capability in line with the size of threats and that will allow the entity to continue sound operation
- Implement controls to protect information assets, and test these systems to prove the effectiveness of the controls
- Notify APRA of any breaches or information security incidents within 24 hours
Governance and identity management
Data governance processes are in place in a lot of insurance businesses, but are these processes enough to be compliant with the level of controls and auditability that APRA is putting forward?
Maybe. Maybe not.
We have observed that many data governance frameworks and policies are only designed to manage internal data sharing, that is data shared across teams or divisions. The reality is that insurers, like all service providers, now operate in a world where data must be shared with third-party suppliers, vendors, partners and subsidiaries in order to do business.
Which raises a key question – Is your current data governance management framework fit-for-purpose in a peer-to-peer data sharing world?
Sections 20, 21, 33 of the draft Prudential Standard CPS 234 relate directly to the requirements for third-party management of information assets, including internal audit.
20. An APRA-regulated entity must have information security controls to protect its information assets, including those managed by related parties and third parties, that are implemented in a timely manner and that are commensurate with:
(a) vulnerabilities and threats to the information assets;
(b) the criticality and sensitivity of the information assets;
(c) the stage at which the information assets are within their life cycle; and
(d) the potential consequences of an information security incident.
21. Where information assets are managed by a related party or third party, an APRA regulated entity must evaluate the design and operating effectiveness of that party’s information security controls.
33. Where information assets are managed by a related party or third party, internal audit must assess the information security control assurance provided by that party, where an information security incident affecting those information assets has the potential to materially affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries, or other customers.
Effective data governance when sharing with third parties is the area where the risk of data breach or misuse can be the highest, and where manual data exchange processes are most common. To be compliant new processes and audit trails will have to be set up and a review of the third parties managing information assets will need to be conducted before the regulation comes into effect.
Which raises some interesting questions for insurers…
- Would you be able to determine every single external party who currently holds or has access to your data or information assets?
- Do you know how these information assets have been accessed or provided? Are they encrypted, is there a risk of data leakage and do you have revoke access controls in place?
- Do you have an auditable governance register which details the exact permitted-use and licensing terms associated with each instance of data being shared?
- Can you trust in the security, data protection and privacy protocols in place to protect your information assets (and your customer’s privacy) when third parties access your data?
Data Republic can help you to solve the above challenges and more, delivering a secure governance platform for insurers to control data visibility, access and licensing terms for data being shared and licensed to external, third parties.
The levels of governance controls in place on the Data Republic platform allow for:
- Full audit trail of data requests, licensing terms and permitted-use (applications) each time data is shared with a third-party
- Leading privacy and P.I. protection technology – Minimising the risk of personal information leaks
- Provisioning of approved datasets to authorized users in cloud-based ‘quarantined’ analytics environments. Remain in control with full revoke access and approval processes for data egress
Data Republic’s technology is underpinned by a comprehensive legal framework and is trusted by some of Australia’s leading airline, banks, and governments to effectively govern privacy and data security risks while sharing data.
While APRA’s proposed Prudential Standard CPS 234 is still in consultation, now is the time to consider the role smart technology can play to future-proof data governance compliance in line with emerging regulatory trends.
What do you think it would take to be ready to comply with CPS 234? I’d love to hear your thoughts on the proposed standard.