Nowadays, data privacy and security are top of mind for every enterprise. The growing number of high-profile data breaches is one reason. We’re also seeing increasingly stringent data privacy laws in the European Union and in such countries as Canada. At Ventiv Technology, we think security should be a major factor for risk managers when they’re evaluating risk management information software. This post discusses the a few of the main reasons we take that position, as well as the things risk managers should look for.
Why data security matters:
Every enterprise is a target of cyber crime
In today’s world, technology systems are core to just about every enterprise. That’s because more and more companies are trying to differentiate themselves from their competitors by emphasizing to customers and investors their use of technology (including risk management information systems) and information assets. However, this emphasis on technology is a double-edged sword. For a long time, the primary targets of cyber criminals were technology, financial and healthcare firms. Today, reliance on technology across industries has made cyber risk an equal-opportunity threat.
Responsibility for cyber risk falls to risk managers
It’s an accelerating trend: senior leadership is asking risk managers to take greater ownership of cyber risk. There’s a growing consensus that managing cyber risk should no longer be the responsibility only of information security and information technology teams. In addition to understanding and then ensuring proper mitigation of cyber risks at an enterprise level, it’s important for risk managers to set the right example for their organizations by giving careful consideration of the data security and privacy elements of the third-party business solutions they themselves use.
What to look for:
Vendor transparency about accreditations, controls and safeguards
Ventiv’s philosophy is that it’s better for a risk manager, when selecting a third-party business solution like a RMIS system, to have complete and transparent knowledge of accreditations, controls and security safeguards that apply to the confidential, protected data entrusted to that solution provider. The fact of the matter is, whenever an organization introduces a third-party hosted business solution to their organization, there will be risks. If features and functionalities are similar, we think there should be one deciding question: Which business risk management solution best mitigates the risks inherent in outsourced technology?
Know exactly where your data will be hosted
We think it’s critically important that risk managers and their organizations’ information security teams know with absolute certainty where at all times their data is and who has access to it. Organizations based outside of the United States have an especially strong appreciation for the locations at which their applications and data are hosted. The EU has some of the world’s most stringent laws and regulations around data privacy and security, but we think it’s only a matter of time before laws become stricter in the U.S., too.
Vendors need to be able prove where the data they host for their clients resides at any given time. It’s also important that vendors never utilize or otherwise leverage the client’s data for their own purposes; Ventiv’s position is that the client’s data remains their exclusive property throughout our engagement, and although we take responsibility for its integrity and safety, we never use it for our own purposes.
No gaps in the third-party audits of data security and privacy
Cloud-based technology providers are often able to produce impressive-looking certifications, but if you ask to examine them closely, you’ll find that they apply only to portions of their technology infrastructure, policies and procedures.
Consider the example of global load balancing, which is relevant because it has to do with the location of client data and where the application is hosted. Commodity cloud providers subcontract hosting services to public cloud providers. At peak loads, these providers often use global load balancing technologies to redistribute internet traffic and processing power to less utilized locations: it might be the U.S., Australia, China, India, Europe. You’ll never know unless you have provisions within your contract restricting the physical location of your data, which the vast majority of customers don’t have.
By contrast, Ventiv’s RIScloud is the risk, insurance and safety market’s only technology infrastructure certified by third-party audits to be compliant in its entirety with ISO 27001:2005, SSAE 16/ISAE 3402 and URAC HIPAA Security standards. There are no gaps—like not knowing the country in which your data resides—to be found in the third-party audits performed on Ventiv.
Scott Wilson is Ventiv’s vice president of Hosting and IT Operations. Contact Scott at Scott.Wilson@ventivtech.com or +1-770-308-5499.
Visit our resource center for information about our software, case studies, and more.
