April 2018
Taking InsurTech on the Road: Mobile App Bumps and Solutions 

As insurers, agencies, producers and service companies seek to become more efficient and competitive in the InsurTech marketplace, offering mobile apps seems to be one obvious solution.  

By employing mobile apps, digitally savvy individuals can apply for coverage while having their morning coffee, policyholders can pay premiums and file claims from the break room and insurers can promote loss prevention practices and claims adjustment with a series of clicks anywhere. 

The convenience and efficiency of doing insurance business using mobile apps – whether by the policyholder, producer, carrier or other persons – does not come without risks. 

Regulated persons (insurers, agencies and producers alike) should establish a vetting process in order to mitigate regulatory and security risks inherent in employing all technologies and particularly mobile apps. To assist this process, the National Institute of Standards and Technology has established step-by-step recommendations to augment data security generally, see the NIST cybersecurity standards. Similarly, the National Association of Insurance Commissioner’s recently released its Insurance Data Security Model Law.

Implementing Mobile Technology

When adopting a new technology, organizations should analyze the potential security impact that technology may have on information security resources, on data, and on policyholders. 

Unlike a desktop computer system, where software exists within a tightly controlled environment that is uniform throughout the organization, mobile apps pose unique security challenges. They cull personal information from physical sensor data, personal health metrics, pictures and video, to a much higher and more precise degree than desktop systems. Mobile devices also have a wider variety of network services than traditional enterprise applications, like Wi-Fi, 2G/3G and 4G/LTE in addition to short-range data connectivity options like Bluetooth and Near Field Communications. All of these mechanisms for data transmission can be vectors for hackers.

Meeting Regulatory Requirements

Although not yet effective, when adopted, the NAIC Data Security Model Law will require all persons regulated by adopting state insurance departments to establish standards for data security that will be applicable to data utilized on all forms of technology, including mobile devices. The Data Security Model Law will require, among other things, that licensees:
  • Provide safeguards for the protection of nonpublic data.
  • Assess reasonably foreseeable, internal or external threats to access or misuse of data and the sufficiency of safeguards against such threats.
  • Include cybersecurity risks in the organization’s enterprise risk management process.
  • Provide cybersecurity awareness training based on the organization’s risk assessment.

In concert with ensuring compliance with state regulation of data security, organizations doing insurance business through mobile apps must also ensure such mobile processes and use of data meet standard regulatory compliance requirements, such as:
  • Preserving compliance with distribution, pricing, policy forms, and satisfaction with other relevant regulatory requirements.
  • Maintaining evidence of compliance for regulatory audits and examinations.

Analyzing Risk v. Reward

An app that is critical to the organization’s business processes or that will be made available to customers/policyholders or the general public must be vetted more thoroughly, since the repercussions from a security breach are much higher than with apps of more limited use. Critical steps include:
  • Acknowledging the risks inherent in the utilization of the app.
  • Understanding the variation of risk for mobile apps that interact with the organization’s system-wide desktop software versus those that are used only on mobile devices.
  • Recognizing the value of testing apps internally before rolling out for organization-wide, targeted or public distribution.

For More Information

A well-defined and comprehensive vetting process for mobile apps should be a part of any organization’s overall information security strategy. Polsinelli’s InsurTech, a collaboration of its Insurance Business and Data Privacy practice groups, can help your organization:

  • Understand the unique aspects of vetting mobile apps relative to the insurance industry.
  • Plan for implementing an app vetting process.
  • Develop app security requirements that are specific to and compliant with the insurance industry’s highly regulated environment.
  • Understand the types of app vulnerabilities and how to detect them.
  • Analyze the risks and appropriateness of apps deployed to mobile devices.
Please contact:

Kathryn Allen, Shareholder, Technology Transactions and Data Privacy