Understanding Vendor Risk Management in the Insurance Industry

Insurance companies face many challenges when managing third-party vendor risks. Many companies don’t have direct visibility into a vendor’s practices, data privacy and cybersecurity regulations continue to evolve, and vendor risks change continuously.  

Even if your insurance company has strong security and risk management practices, it’s only as strong as your weakest vendor. Robust and effective vendor risk management (VRM) practices protect your insurance company.  

Vendor risk management practices help insurers mitigate risk, ensure regulatory compliance, and enhance operational resilience. Insurers better safeguard their reputation and gain a competitive edge with vendor risk management.  

Understanding the Insurance Industry’s Regulatory Requirements 

Many laws, regulations, and industry guidelines govern the insurance industry. Not only should your insurance company comply with these, but your vendors should as well.  

Here’s an overview of the insurance industry’s regulators and advisors and third-party implications: 

• State-level regulations: The primary U.S. regulator of the insurance industry are the states. The McCarran-Ferguson Act of 1945 gave states the right to tax and regulate insurance. Statutes and rules differ from state to state. For insurers, this means working with more than 50 different state agencies and hiring state-licensed lawyers.  
• Insurance Data Security Model Law: Adopted by many U.S. states, this requires insurance companies implement comprehensive information security programs, including addressing third-party vendor risk. 
• Federal Insurance Office (FIO): Monitors all aspects of the insurance industry. Insurance companies must ensure third parties don’t engage with restricted or prohibited parties, especially in transactions involving foreign countries or individuals. 
• National Association of Insurance Commissioners (NAIC): Although not a regulator, NAIC provides guidance and expertise for insurance commissioners to regulate the insurance industry.  
• Gramm-Leach-Bliley Act (GLBA): Requires U.S. financial institutions to protect the privacy and security of customers' non-public personal information. Insurers must implement safeguards to control vendor access to customer information and conduct due diligence. 
• General Data Protection Regulation (GDPR): Applicable to insurance companies operating within the European Union (EU) or processing the personal data of EU residents. GDPR imposes strict requirements on data protection, including conducting impact and risk assessments on third-party vendors and reporting cybersecurity events. 
• Payment Card Industry Data Security Standard (PCI DSS): If an insurance company handles payment card transactions, PCI DSS outlines security requirements to protect cardholder data, including maintaining secure networks, implementing strong access controls, and regularly testing security systems. 
• Sarbanes-Oxley Act (SOX): Although primarily focused on financial reporting, SOX requires insurance companies to establish internal controls and procedures to ensure the accuracy and reliability of financial statements, which may include managing vendor risks.  

Related: Creating a Culture of Compliance for Third-Party Risk Management 

Vendor Risks in the Insurance Industry 

Each vendor has inherent risks to identify and mitigate. If your insurance company has inadequate vendor risk management, it can increase costs and lead to financial losses. 

Here are six vendor risks in the insurance industry: 

• Cybersecurity risks: Insurers use their customer’s personal data to assess risk, set premiums, and develop products and services. This amount of data makes the industry a prime target for cyberattacks.  
  
  Insurance companies must verify vendors have safeguards to protect sensitive customer information. Regularly review and update security protocols to align with emerging threats and evolving regulatory standards. 
• Operational risks: A vendor disruption or failure may result in operational downtime, delayed claim processing, and dissatisfied customers. Both your insurance company and vendors need plans to maintain services during disruptions. Test and assess the plans regularly.  
• Jurisdictional risks: This is the risk of engaging vendors located in different legal jurisdictions. There are variations in laws, economic conditions, and political stability across states and countries. For example, a third-party claims processor located in a different country poses jurisdictional risk. 
  
  Research laws, regulatory frameworks, and requirements in the vendor’s jurisdiction, seek legal expertise, include contractual protections, monitor legal changes, and consider appropriate insurance coverage. 
• Reputational risks: Customers rely on insurance companies to provide everything from car and house coverage to healthcare and business insurance. It only takes one incident, like a data breach or disruption in service, to damage your insurance company’s reputation, even if your vendor was the one at fault.  
• Regulatory risks: Insurance companies and their vendors are responsible for complying with applicable laws and regulations. If vendors aren’t in compliance, your insurance company could face fines and costly litigation. 
• Artificial intelligence (AI) risks: This has emerged as a top risk for the insurance industry. Many companies contract with vendor AI services to interface with customers – creating regulatory, cybersecurity, and reputational risks. NAIC recently released a bulletin for insurers’ use of AI, which many states adopted.  

Related: Why is Third-Party Risk Management Important? 

Developing a Vendor Risk Management Framework for the Insurance Industry 

Establishing a vendor risk management framework effectively manages vendor risks. It must address the insurance industry’s unique third-party risks. 

Note: In 2024, NAIC established the Third-Party Data and Model Task Force. This task force plans to create a framework for regulating third-party in 2025. 

A vendor risk management framework in the insurance industry should include: 

• Defined governance structures: Include clear vendor risk management policies and procedures. Outline how vendor risks are identified, assessed, monitored, and mitigated at your insurance company. 
• Clear roles and responsibilities: Identify and understand who is responsible for managing vendor risks and who’s responsible for overseeing the process. For many insurance companies, cyber teams take on this role, but to effectively manage vendor risks, consider creating a dedicated team.  
• Vendor planning process: Before contracting a vendor, identify your insurance company’s need for the relationship. Conduct market research and requests for proposals (RFPs).  
• Assess each vendor’s risks: Determine how much risk a vendor poses to your insurance company. The higher the vendor’s risk, the more oversight it requires. Perform an inherent risk assessment to identify the vendor’s types and amounts of risk.  
• Perform vendor due diligence: Collect due diligence to analyze how the vendor is managing its risks. Reviewing information security policies, business continuity and disaster recovery plans, and SOC 2 reports is crucial to keep your company’s data protected. Other documents like financial statements and VRM policies provide further insight into the vendor’s practices.  
• Create and review vendor contracts: Negotiate and finalize the terms and conditions of the contract. Set service level agreements (SLAs), key contractual dates, termination clauses, exit plan strategies, etc. Set expectations for how the vendor will protect your insurance company’s data.  
• Continually reassess vendor risk and performance: Conduct regular performance reviews, meetings, and reporting to ensure the vendor meets expectations. Address concerns or issues promptly and foster collaboration.  
• Include vendor termination processes: When a vendor relationship ends, have a process for how the product or service will be replaced or discontinued. Understand how the vendor will return or destroy your insurance company’s sensitive data.  

A proactive approach to vendor risk management protects insurance companies from unnecessary risks. By implementing a vendor risk management framework, insurance companies enhance resilience and secure long-term success. 

Looking to improve your vendor risk management practices? See how Venminder can help!