Insurance Vendor Management: Disaster Recovery and Information Security
In this series on Insurance Vendor Management, we talked about the specialization of the insurance company and the agent, The 9 Critical Steps for Insurance Vendor Management, the fact that All Policies are Not Created Equal, and Insurance Company Ratings. In this article, we cover Disaster Recovery Plans and Information Security. Let’s dive in!
Disaster Recovery Plans
A disaster recovery plan is a strategy for backing up all information necessary for operations and regaining access to essential systems when a disaster eliminates it. A lender, whether a credit union or a bank, should obtain verification that the insurance vendor and the agent have adequate and documented disaster recovery plans. This is an important piece to inquire about when lenders are conducting insurance vendor research. After all, a disaster or pandemic is when you may need your insurance provider the most.
Key questions to ask:
What disaster recovery plans are for both the agent and the insurance company?
Do you and the company have short-term power backup for power outages?
Do you have backup storage?
Do you have alternate work locations?
Can you operate your critical systems from anywhere?
How often is the plan reviewed and updated?
How do you handle absenteeism of essential employees?
Every insurance provider for banks, credit unions, finance companies, or loan servicers should have a business continuity plan where they analyze the impact on their business and their customers in the case of a disaster. They should have recovery strategies in place, and the plans should be shared with all employees and tested regularly.
Information Security
A vendor needs to prove to you that sensitive data is fully protected. Between a privacy policy and internal security controls, the office handling your information should be able to reassure you that your information will be kept safe. Many organizations voluntarily submit to a SOC audit to assess internal controls governing their services and data. These controls are called the Trust Services Principles and include security, availability, processing integrity, confidentiality, and privacy as outlined by the American Institute of Certified Public Accountants (AICPA).
Key questions to ask:
What is your privacy policy?
Who has access to personal data?
Do you sell my customers’ data?
Who is accountable for your privacy policy?
Can you provide a copy of your information security policy?
Has your company completed a SOC audit?
Vendor insurance management is far more than ratings and financial statements. The provider must show that they have the personnel to support and dedication to that product line, a policy set up to benefit your organization, and service and claims handling that pays in a timely manner when you have losses. They must prove they are committed to this product and that they will be there in the future. They should have an abundance of current references to confirm their ease of administration, reliability of service, and outstanding claims handling. Every credit union or bank must conduct its own due diligence.
At Unitas Financial Services, we know that Insurance Vendor Selection and Management are essential factors in choosing a collateral protection insurance provider. That’s why we strive to meet all of the standards outlined in this series on Insurance Vendor Management. Please don’t hesitate to get in touch should you have any questions on what to ask vendors you are considering. We’re here to help!