Cybersecurity is a hot topic for many organizations today. What should insurers do to address these risks?
Our cybersecurity specialists at Baker Tilly have written a number of educational articles and presented information through webinars and at association conferences. Here are several key tips for insurers trying to respond to this growing risk.
- Insurers must assess where they should focus their resources and efforts. Organizations do not have unlimited resources and budget to spend on cybersecurity, therefore it is important to be able to identify the risks to their organization.
- Review and rank the most significant areas of risk to determine where to focus resources.
- Educate your employees, management, and board of directors about cybersecurity and have a breach response plan. Unfortunately, there is no way for any organization to prevent an attack from ever happening. Hackers are constantly developing new and innovative ways through and around systems. It is important to consider not only if an attack happens, but when an attack happens and have an effective response plan in place.
- There are three functional items that have been highlighted by the National Association of Insurance Commissioners (NAIC) Cybersecurity Task Force, the impact of which should be evaluated by each organization:
- Multifactor authentication: The use of only logins and passwords does not provide enough security. Leveraging multiple phases of authentication reduces the probability of a full set of credentials being compromised;
- Encryption of all data, including data-at-rest: Most organizations have implemented procedures for encrypting data being transmitted, but rely on multi-layer security protocols for protecting data-at-rest rather than encryption. The need to encrypt data-at-rest on your network is increasing with the ever increasing volume of malicious activity.
- Vendor management: Third parties are becoming an increasing source of data breaches. Including the information security function in the vendor selection/monitoring process, as well as reviewing the systems and protocols of vendor subservice organizations (fourth party vendors) should be standard.
What corporate governance best practices do you recommend to your insurance clients?
I have had many board and audit committee members ask me about this topic. In fact, I am an active member of the Pennsylvania Institute of Certified Public Accountants (PICPA) insurance conference committee, and we just selected this topic as one of the sessions for the annual conference being held in December.
The best practices insurance companies should consider adopting to improve corporate governance are:
- Board oversight of critical risk areas in the organization is one of the most important aspects of sound corporate governance, regardless of the entity’s size or complexity. The board should be involved in understanding the risk management process, actuarial function (including the use of an external certification actuary), investment decision-making process, reinsurance decision-making process, and financial reporting.
- The board should ensure that it is staying informed and that management is providing education regarding hot topics in the organization and industry. We typically recommend that the board receive a presentation from either management or external experts two to four times a year on industry hot topics such as cybersecurity, compliance with regulations, and claims handling within the organization.
- The board should understand if the company has adopted a risk management policy and how that risk management policy drives decision-making throughout the organization.
- The board and management should review the NAIC Corporate Governance Annual Disclosure Model Act and the Corporate Governance Annual Disclosure Model Regulation. The Act is effective January 1, 2016, with initial filings due by June 1, 2016. This Act is applicable to insurers of all sizes and does not have a premium threshold for compliance such as the Model Audit Rule. It is important for organizations to begin understanding the information that is being requested and determine where gaps may exist in its policies and practices. In some cases for smaller insurers, a cost-benefit analysis may be required to determine if certain policies and practices requested make sense for their organization.
The number of multinational insurance companies is increasing. How do you make sure international engagements run smoothly?
I started my public accounting career at Beard Miller Company and was pleased to begin working with more multinational companies when the firm merged with Parente Randolph several years ago. The number of international engagements continued to increase through ParenteBeard’s merger with Baker Tilly in 2014. As an independent member of Baker Tilly International, we are able to seamlessly provide in-country expertise where our clients need it. There are several factors that make the experience positive for our clients:
- Firms within the Baker Tilly International network collaborate very well. We focus on communication between the group auditor and component auditors to ensure there are no surprises or last minute issues that arise.
- Companies are able to experience the benefits and expertise of a national firm with a strong international network. We spend time during our engagements focusing on a consistent client service delivery model throughout the network so that client management in the United Kingdom or China receives the same level of service they are used to experiencing in the US.
What should executives be doing now to address the new disclosures required for short-duration insurance contracts?
In 2014, I was part of a specialized team at Baker Tilly who was invited by the Financial Accounting Standards Board (FASB) to conduct a fatal flaw review of the proposed Accounting Standards Update (ASU) regarding short-duration insurance contract disclosures.
Our analysis considered several important questions:
- Is the proposed ASU understandable to a reader with a reasonable level of business/accounting knowledge?
- Is it clear to the reader how it is to be applied?
- Can it be applied / operationalized?
- Are there any unintended consequences in applying the proposed ASU?
The final requirement, ASU 2015-09, was published in May and applies to all insurance entities that issue short-duration contracts. Here is what I recommend insurance executives do now:
- One of the first key steps in the ASU is determining the level of aggregation or disaggregation to use in the disclosures. The ASU was intentionally written for this to be a principle-based decision by preparers of financial statements based on the usefulness of the information to financial statement users. For most US insurers, Schedule P will be a good starting point but may include too many lines of business that need to be aggregated together. It is critical that this decision be analyzed early in the implementation phase because it will drive a lot of the data needs to prepare the disclosures.
- After determining the level of aggregation or disaggregation to be utilized, companies should begin analyzing their data availability and comparing it against the requirements for the disclosures. If additional information or system changes are required, those items should be identified as early as possible.
For more information on these topics, or to learn how Baker Tilly insurance industry specialists can help, contact our team.