3Qs with Eddie T, Compliance and Security Manager at Breathe Life
Q: Can you walk us through why security and compliance are so important in the life insurance industry?
A: Over the last few years, we have seen a significant change in the relationship between industries and their target markets. With the rising dominance of consumer trust dictating market disposition, the life insurance industry must look to security and compliance to meet the expectations of consumers set out by the changing privacy landscape. As more privacy and data protection laws emerge consumers hold the industry to standards that assure them of the safety of their personal information. As an industry, aligning with these expectations by prioritizing security and compliance, builds trust and confidence in our consumers. This trust leads to loyalty and keeps the life insurance industry thriving.
Compliance and security give value to life insurance data. Data is intrinsically valuable in the digital age and this value is enhanced by how its collection, processing, and storage is managed. Governing bodies over various aspects of life insurance data establish restrictions in equivalence to the deemed value of the said data. These restrictions affect the evaluation of organizational risk; compliance, through the implementation of security controls; and the utility of the data by the organization. As a result, the original value of data is enhanced and the cycle repeats with governing bodies deeming the data more valuable to the industry.
Accordingly, through compliance and security we enhance both the value of industry data and consumer trust for the industry; thus encouraging the buying and selling of goods, within the industry and contributing to the national economy, as a whole.
Q: Can you explain how a technology provider can go about meeting industry standards and what the biggest challenges that they might face would be?
A: To meet industry standards, a technology provider should define a compliance governance program that entails the use of policies, standards, process flows, procedures, responsibilities, reporting lines, and feedback mechanisms in alignment with standards.
The governance program starts with a business directive and is followed closely with an allocation of funds to meet this goal. Through a gap assessment, the provider is made aware of potential lapses in its compliance program and the risks associated with having those gaps. Administrative, technical, and physical controls are then put in place to treat the prioritized risks alongside bringing the organization into compliance with industry standards. Consistent auditing and monitoring of the implemented controls ensure that the compliance program grows to meet the changing landscape of technology within the organization and within the industry at large.
Technology providers face the challenge of aligning with ever-evolving industry standards. As technology advances, regulatory standards are modified to stay abreast with innovation. This makes meeting standards, within an industry, a never-ending process. This requires subject matter experts to have up-to-date knowledge of technology trends and their direction. Moreover, to add another layer of complexity, these standards also differ geographically by region, country, and/or state/province in North America alone.
Congruent to this is the significant challenge presented by the lack of expertise to champion compliance within the industry. Identifying and retaining subject matter experts adept at the nuance of the geographical intricacies associated with meeting changing standards is in itself challenging. They are rare in general and even more scarce in industry-specific niches like life insurance for example.
This leads to the challenge of cost. The people, process, and technology required to run a robust compliance program to meet and maintain industry standards come with a significant price tag. Providers tend to put compliance and security on the back burner until it becomes absolutely necessary. This creates retroactive challenges when trying to bake policies and procedures into an established non-compliant culture that affects time and ultimately the cost of conformance.
Q: Any thoughts on the future of security and compliance within the industry? Is it getting more heavy-duty? Loosening up?
A: An aspect of my role that I enjoy is keeping abreast with the future of the industry, and how security and compliance are evolving in general. We can be certain that privacy laws will consistently mature in establishing the individual as data owner; which, in my opinion, is a step in the right direction.
We will see more laws take effect and significant updates to existing privacy regulations. The State of California, for example, is setting a standard that other US states are bound to follow. In Canada, Bill C11 – An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make related and consequential amendments to other Acts, is currently under discussion. If it should pass in parliament, Canada will have one of the most stringent privacy laws in the world akin to the European Union’s GDPR that came into effect in the Spring of 2018. Moreover, in Asia, China’s Personal Information Protection Law went into effect at the beginning of this month and we are bound to see similar regulations enforced across the globe.
These changes will likely bring some level of tension within the industry but the ultimate goal is to give due responsibility to data owners and enhance consumer trust in, and for, technology providers that align with these standards. While the next few years may prove difficult to adjust to, it will get easier with time as privacy settles in as a norm. Accordingly, technology providers like Breathe Life Inc., at the forefront of security, privacy, and compliance within the life insurance industry will thrive in the anticipated heavily-regulated market.