The 6 Hallmarks of Secure Insurance Agency Management Systems

How Secure Are Agency Management Systems?

Is it secure? This is the question that most insurance agencies ask agency management system (AMS) vendors during the purchase decision process, but a simple "yes" won't suffice. Any AMS vendor should be able to lay out, in detail, the reasons their system is secure and explain the practices their company puts into place to keep it that way. 

When the top software businesses “fix almost 70% more vulnerabilities than the average organization,” doing your due diligence with vendors is crucial.

But, what questions do you ask? What terminology should you be aware of? What answers are you looking for?

The 6 Hallmarks of Secure Insurance Agency Management Systems

In this blog, we’ll cover the main things you should be aware of when it comes to software security, especially insurance software security like an agency management system (AMS).

1. Secure, Reliable Data Hosting

There are two primary types of data hosting, cloud-based and on-site. Cloud-based means your data is hosted in a data center outside your physical office and is managed by your software vendor. On-site means your data is literally on-site, in your office, and is managed by your company (potentially assisted by an IT vendor).

So, what are the implications of each? Cloud-based data is backed-up to several locations in real-time, meaning the latest version of your data is saved, even if something happens to the physical computer, tablet, or phone you access it from. That’s in contrast to on-site hosting where backup is manual, and typically only done, on average, once per day.

Chief Technology Officer at AgencyBloc, Cory Schmidt, also warns against unmanaged data on-site. With this, you’ll need to consider catastrophic loss at your on-site location. Catastrophic loss could come in the form of a physical disaster destroying your data on-site, or a virus or ransomware attack. He warns that people tend to perceive on-site hosting to be safer, but it really isn’t unless you’re willing to spend a lot of money to make it so.

Terms to Know:

HIPAA (Health Insurance Portability & Accountability Act) = mandates specific controls like encryption; includes PHI (Protected Health Information) and guards against misuse and/or uncontrolled access to this data; includes HiTech which details specifics regarding the storage of these related electronic records

SOC (System & Organization Control) = independent third-party examination report; confirms compliance controls & objectives

Questions to Ask:

• Do you have a SOC 2 report? 
• How often is my data backed up?
• Who do you use to host the software & my data?
• Where are my data & backups hosted?
• What levels of compliance are in place?

You’re really vetting the vendor here. You want to know both the software vendor and the vendor behind the hosting; most companies are not trying to be their own hosting vendor anymore. Why? Because cloud vendors (ex: Amazon Web Services) provide platforms with extensive security and reliability built-in.

2. Availability & Reliability

When you go to access the AMS (whether it’s in an app or via a web browser), will it be available? And will it work when you access it? These seem like silly questions, but knowing your vendor's historical up and downtime of their system gives you insight into their practices.

Downtime can occur when the vendor is pushing an update to the system. It also can happen when the software itself or the hosting server is unexpectedly down. 

Reputable vendors have tools in place that monitor the performance of their software so that they can be proactive and solve issues as quickly as possible for their clients.

Statuspage says this about uptime:

“Most services fall somewhere between 99% and 100% uptime. Most cloud vendors offer some type of Service Level Agreement around availability. Amazon, Google, and Microsoft’s set their cloud SLAs at 99.9%. The industry generally recognizes this as very reliable uptime. A step above, 99.99%, or "four nines," as is considered excellent uptime.”

Terms to Know:

Uptime % = the percentage of time that a site/service is available

Page load time = on average, how quickly the pages (or screens) load

Questions to Ask:

• What is your historical up-time? (and ask if this includes when they’re doing maintenance updates)
• What is your average page load time?
• What types of software performance monitoring are in place?

Many agencies miss asking these things ahead of time and, unfortunately, find them out after the fact when they’ve bought into an unreliable system. Don’t let this happen to you—ask up front!

3. Data Encryption & Security

Here’s the nitty gritty of this blog post. We’re back to that question: how secure is it? You need to be confident your data and files are protected no matter how you’re accessing the software and where from.

There are two items to consider here: encryption of your data and how it’s accessed—or, better put, how easily someone who shouldn’t be accessing it potential could!

Terms to Know:

Data In Transit / Data At Rest = In Transit is data transmitted from your computer or mobile device (office, coffee shop, home) up to the server or site (both data & files) whereas At Rest is data being stored within the site

Data encryption (SSL/TLS) = a secure way to communicate; used by financial institutions and many other sites (“bank-grade”)

Two-step / Two-factor authentication = a second line of defense beyond your username and password; many services send you a unique link or text message that you can utilize to gain access to your account

IP restriction = (sometimes called whitelisting) is only allowing certain IP addresses to log in to your account (ie. home, office, etc)

Questions to Ask:

• How are my data/files protected in-transit and at rest?
• What options do you offer for additional security of my data?

This is the nitty gritty because it’s the area most people ask about, but it’s also potentially the most misunderstood. In short, you want a vendor who knows exactly how your data is encrypted, and you want a vendor who provides two-step or two-factor authentication. These are both solid ways to guard against those who shouldn’t be accessing your data.

4. Data Privacy & Ownership

Data privacy and ownership of your data, in general, was covered above and is covered in detail within a vendor's SOC 2 report, but what we're talking about here is at the agency level.

Depending on your agency's structure, you may want the ability to restrict access to certain parts of the system from certain people or groups of people in your agency. For instance, agencies often restrict agents’ access to solely their own books of business. Or, some agencies want each department to only be able to see certain pieces of the system. All of this is important for data privacy and is an important area to cover with vendors.

When it comes to ownership of your data, it seems simple, right? But, you need to ask upfront who actually owns your data once its put into the system. Are there easy ways to export all of your data if needed?

Terms to Know:

Data Archive (Backup Copy) = full backup of your data

Questions to Ask:

• Who has access to my data?
• Can I restrict access to certain parts of the system from others in my organization?
• Can I export my data without charge?
• Who owns my data?

This is another area agencies can be blindsided by if they don’t ask the right questions upfront. Be sure you are comfortable with the answers to these questions before you move forward with a vendor.

5. Regular Software Maintenance & Updates

Technology changes rapidly, and as you enjoy new features and updates within the system, these updates require security measures. Software has to be patched to guard against new vulnerabilities as well.

Think of it like when your computer updates and restarts. If these aren’t done, your computer can become vulnerable to new security issues.

Ask any AMS vendor about, not only their planned updates to the system (the fun stuff!), but about their maintenance schedule, as well. 

Terms to Know:

Software Patches = updates made to the system to guard against newly found vulnerabilities

Questions to Ask:

• When do you do updates to the system? And how long is the downtime for this?
• How do you ensure my data is protected from newly found vulnerabilities?

Ultimately, be sure your vendor is on top of software patches and that, when these updates need to be made, that they are being done at a time when the downtime won’t affect your daily business.

6. Vendor Reputation

This is the most important section of this post; vendor reputation is everything when it comes to security, reliability, and everything else we’ve discussed. It’s ultimately how you'll feel confident you’re making the right decision overall.

Make sure you understand who is behind the company (using the Domain Registration WHOIS lookup). Be sure to look them up on LinkedIn to see what their company page looks like and who works there. In today's age of remote work, vendors may or may not have a physical office, but their LinkedIn page can still serve as a great resource to identify a count of employees and makeup of those employees (looking especially for the product team, in the case of this blog). 

Also, check out their testimonials on their website, Google, and across other review sites. Search through the reviews for mentions of reliability of their software as well as helpfulness of their team—the human element of software is still SO important!

Terms to Know:

Domain Registration (WHOIS) = a lookup of who owns a particular domain or web address

Questions to Ask:

• Who is behind the organization?
• What does the employee makeup (job titles) of the company look like?
• What is in the Terms of Use and Security Policy?

Vendor reputation isn’t generally the first thing that comes to mind when people are thinking of software security, but it’s undeniably important. So do your research!

With all of this information, we hope you feel equipped to walk into conversations with software vendors knowing your security terms and which questions are most important to ask.

Posted by Kelsey Rosauer on Wednesday, December 15, 2021 in Data Management & Security

1. data management
2. vendor vetting