Is It Secure? The Questions You Should Ask Insurtech Vendors

The Questions You Should Ask Insurtech Vendors

Security of Agency Management Systems

Is it secure? This is the question that most insurance agencies ask agency management system (AMS) vendors during the purchase decision process, but they often don’t know what answer they’re looking for. The landscape of cloud storage and security is vast and can be incredibly confusing, so this is no surprise.

When the top software businesses “fix almost 70% more vulnerabilities than the average organization,” doing your due diligence with vendors is crucial.

But, again, what questions do you ask? What terminology should you be aware of? What answers are you hoping to get?

In this blog, we’ll cover some of the main things you should be aware of when it comes to software security, especially insurance software security like an agency management system (AMS).

Data Hosting

There are two primary types of data hosting, cloud-based and on-site. Cloud-based means your data is hosted in a data center outside your physical office and is managed by your software vendor. On-site means your data is literally on-site, in your office and is managed by your company (potentially assisted by an IT vendor).

So, what are the implications of each? Cloud-based data is backed-up to several locations in real-time, meaning your data is always saved to the latest version even if something happens to the computer, tablet, or phone you access it from. That’s in contrast to on-site hosting where backup is manual, and typically only done, on average, once per day.

Chief Technology Officer at AgencyBloc, Cory Schmidt, also warns against unmanaged data on-site. With this, you’ll need to consider catastrophic loss at your on-site location. Catastrophic loss could come in the form of a physical disaster destroying your data on-site, or a virus or ransomware attack. He warns that people tend to perceive on-site hosting to be safer, but it really isn’t unless you’re willing to spend a lot of money to make it so.

Terms to Know

HIPAA (Health Insurance Portability & Accountability Act) = mandates specific controls like encryption; includes PHI (Protected Health Information) and guards against misuse and/or uncontrolled access to this data; includes HiTech which details specifics regarding the storage of these related electronic records

SOC (System & Organization Control) = independent third-party examination report; confirms compliance controls & objectives

Questions to Ask:

  • How often is my data backed up?
  • Who do you use to host the software & my data?
  • Where is my data & backups hosted?
  • What levels of compliance are in place?

You’re really vetting the vendor here. You want to know both the software vendor and the vendor behind the hosting; most companies are not trying to be their own hosting vendor anymore. Why? Because cloud vendors have platforms built for exactly this with extensive security and reliability built-in.

Lastly, find out where your data is located, and who has access to those servers.

Availability & Reliability

When you go to access the system (whether it’s in an app or via a web browser), will it be available? And will it work when you access it?

These are two questions most software shoppers overlook, but it’s important to understand how often the software itself might be down or unusable. Times this can happen, for instance, are when they’re making an update to the system or when the software itself or the server it’s hosted on is down. You also don’t want to buy into software that is notoriously slow.

Note: you should NOT be the one alerting your software vendor that their site is down! Reputable vendors have tools in place that monitor the performance of their software so that they can be proactive and solve issues as quickly as possible for their clients.

Statuspage says this about uptime:

“Most services fall somewhere between 99% and 100% uptime. Most cloud vendors offer some type of Service Level Agreement around availability. Amazon, Google, and Microsoft’s set their cloud SLAs at 99.9%. The industry generally recognizes this as very reliable uptime. A step above, 99.99%, or "four nines," as is considered excellent uptime.”

Terms to Know

Uptime % = the percentage of time that a site/service is available

Page load time = on average, how quickly the pages load

Questions to Ask:

  • What is your historical up-time? (and ask if this includes when they’re doing maintenance updates!)
  • What is your average page load time?
  • What types of monitoring are in place?

A lot of shoppers don’t think about these things ahead of time and, unfortunately, find them out after the fact when they’ve bought into an unreliable system. Don’t let this happen to you—ask up front!

Data Security

Here’s the nitty gritty of this blog post. We’re back to that question: how secure is it? You need to know how your data and files (think of all the attachments you have) are protected within the software no matter how you’re accessing it and where from.

There are two items to consider here: encryption of your data and how it’s accessed—or, how easily someone who shouldn’t be accessing it potential could!

Terms to Know

Data In Transit / Data At Rest = In Transit is data transmitted from your computer or mobile device (office, coffee shop, home) up to the server or site (both data & files) whereas At Rest is data being stored within the site

Data encryption (SSL/TLS) = a secure way to communicate; used by financial institutions and many other sites (“bank-grade”)

Two-step / Two-factor authentication = a second line of defense beyond your username and password; many services send you a unique link or text message that you can utilize to gain access to your account

IP restriction = (sometimes called whitelisting) is only allowing certain IP addresses to log in to your account (ie. home, office, etc)

Questions to Ask:

  • How is my data/files protected in-transit and at rest?
  • What options do you offer for additional security of my data?

This is the nitty gritty because it’s the area most people ask about, but it’s potentially the most misunderstood. In short, you want a vendor who knows exactly how your data is encrypted, and you want a vendor who provides two-step or two-factor authentication. These are both ways to guard against those who shouldn’t be accessing your data.

Data Privacy & Ownership

Who all can see your data? Be sure you understand who else your software vendor works with who might also have access to your data. Do they outsource their development, for instance? If so, that third-party might have access to your data.

Further, you might want the ability to restrict access to certain parts of the system from certain people or groups of people in your agency. For instance, agencies often restrict agents’ access to their own books of business. Or, you want each department in your agency to only be able to see certain pieces of the system. All of this is important for data privacy.

When it comes to ownership of your data, it seems simple. But, you need to ask upfront who actually owns your data once its put into the system. Will your vendor provide you a data archive or backup copy of your data for free?

Terms to Know

Data Archive (Backup Copy) = full backup of your data

Questions to Ask:

  • Who has access to my data?
  • Can I restrict access to certain parts of the system from others in my organization?
  • Can I export my data without charge?
  • Who owns my data?

This is another area shoppers can be blindsided by if they don’t ask the questions upfront. Be sure you are comfortable with the answers to these questions before you move forward with a vendor.

Software Maintenance & Updates

Technology changes rapidly, and as you enjoy new features and updates within the system, these updates require security measures. Software has to be patched to guard against new vulnerabilities as well.

Think of it like when your computer updates and restarts. If these aren’t done, your computer can become vulnerable to new security issues.

Terms to Know

Software Patches = updates made to the system to guard against newly found vulnerabilities

Questions to Ask:

  • When do you do updates to the system? And how long is the downtime for this?
  • How do you ensure my data is protected from newly found vulnerabilities?

Ultimately, be sure your vendor is on top of software patches and that, when these updates need to be made, that they are being done at a time when the downtime won’t affect your daily business.

Vendor Reputation

This is the most important section of this post; vendor reputation is everything when it comes to security, reliability, and everything else we’ve discussed. It’s how you can know whether you’re making the right decision overall.

Make sure you understand who is behind the company (using the Domain Registration WHOIS lookup). Is it a real company with a physical address with real people who can support you or is it just a guy running it out of his house? Use Google Maps to look up the address of the business to confirm validity. And be sure to look them up on LinkedIn! See what their company page looks like and who works there.

Also check out online reviews on business software review sites like Software Advice.

Here’s an important one: know whether there are any conflicts of interest. There are many insurtech solutions that are actually owned by MGAs or current/former brokers. With that said, you want to understand how your data will be kept confidential and not shared or used in any way by them.

Lastly, ask for their Terms of Use and Security Policy, and read it! If they don’t have these documents, that should definitely be cause for concern. In these documents, it should be detailed how they will be handling your data.

Terms to Know

Domain Registration (WHOIS) = a lookup of who owns a particular domain or web address

Questions to Ask:

  • Who is behind the organization?
  • Are there any conflicts of interest?
  • What is in the Terms of Use and Security Policy?

Vendor reputation isn’t generally the first thing that comes to mind when people are thinking of software security, but it’s undeniably important. So do your research!

Password Best Practices

One last item to leave you with: password best practices. And you can use this advice for any and all of your passwords! We want to leave you with this because, apparently, “the top most-used password for the fourth consecutive year was “123456.” And “password” ranked in second place.”

To create a strong password, check out these do’s and don’ts from Krebs on Security. You’ll be surprised to learn that the strongest passwords actually aren’t crazy combinations of letters and numbers anymore—length is key!

So, with all of this information, we hope you feel equipped to walk into conversations with software vendors knowing all the right terms and asking all the right questions.

Want to learn more? Check out this webinar recording.

Learn more in a webinar we hosted, The Nitty Gritty Security Questions You Need to Ask Insurtech Vendors, where our Chief Technology Officer, Cory Schmidt, goes into more depth on the terms you should know and the questions you should ask.

Watch the Recording

Kelsey Rosauer

By Kelsey Rosauer on March 15, 2018 in Database Management

Kelsey is the Marketing Brand Specialist at AgencyBloc. She plans and creates educational resources to help our customers organize, automate & grow their insurance agency. Favorite quote: "I am convinced that life is 10% what happens to me and 90% how I react to it." —Charles R. Swindoll  More articles


Get FREE tools and insights from AgencyBloc delivered directly to your inbox.