The 6 Hallmarks of Evaluating Agency Management System Vendor Security

How Secure Are Insurance Agency Management Systems?

Is it secure? This is the question that most insurance agencies ask agency management system (AMS) or customer relationship management (CRM) vendors during the purchase decision process, but a simple "yes" won't cut it. Any AMS vendor should be able to explain in detail the reasons their system is secure and explain the practices their company uses to keep it that way.

In 2023, the number of worldwide published CVEs (Common Vulnerabilities and Exposures) increased by 15% year over year. This is just one reason why doing your due diligence with vendors is crucial. 

But what questions do you ask? What terms should you be aware of? What answers are you looking for? Keep reading to find out.

The 6 Hallmarks of Evaluating Agency Management System Vendor Security

In this blog, we'll cover the main things you should be aware of regarding software security — especially insurance software security, like an agency management system (AMS).

1. Secure, Reliable Data Hosting

There are two primary types of data hosting: cloud-based and on-site. Cloud-based means your data is hosted in a data center outside your physical office and is managed by your software vendor. On-site means your data is literally on-site, in your office, and is managed by your company (potentially assisted by an IT vendor).

So, what are the implications of each? 

Cloud-based data is backed up to several locations in real-time, meaning the latest version of your data is saved, even if something happens to the physical computer, tablet, or phone you access it from. That's in contrast to on-site hosting, where backing up your data is manual and typically only done, on average, once per day.

Cory Schmidt, the Chief Technology Officer at AgencyBloc, also warns against unmanaged data on-site. With this, you'll need to consider catastrophic loss at your on-site location. A catastrophic loss could come in the form of a physical disaster destroying your data on-site or a virus or ransomware attack. He warns that people tend to perceive on-site hosting to be safer, but it really isn’t unless you’re willing to spend a lot of money to make it so.

Terms to Know:

HIPAA (Health Insurance Portability & Accountability Act) = mandates specific controls like encryption; includes PHI (Protected Health Information), and guards against misuse and/or uncontrolled access to this data

HITECH (Health Information Technology for Economic & Clinical Health Act) = encourages the use of EHR (electronic health records) and other health information technology; bolsters the privacy and security regulations of HIPAA

HITRUST (Health Information Trust Alliance) = an independent report that determines how organizations, especially in healthcare, manage data, information risk, and compliance 

SOC (System & Organization Control) = independent third-party examination report; confirms compliance controls & objectives

Questions to Ask:

• Does the company have a SOC 2 Type II report? 
• Does the company have a HITRUST report?
• Is their platform HIPAA or HITECH-compliant?
• How often is data backed up?
• Who does the company use to host the software & data?
• Where are the data & backups hosted?
• What levels of compliance are in place?
• Does the company perform regular security audits?

You’re really vetting the vendor here. You want to know both the software vendor and the vendor behind the hosting; most companies are not trying to be their own hosting vendor anymore. Why? Because cloud vendors (i.e. Amazon Web Services) provide platforms with extensive security and reliability built-in. Then, you want to know the security principles the company has in place for performing audits and monitoring attacks, plus the security standards they meet.

2. Availability & Reliability

Will the AMS (whether in an app or via a web browser) be available when you access it? And will it work when you access it? These seem like silly questions, but knowing your vendor's historical up and downtime of their system gives you insight into their practices.

Downtime can occur when the vendor is pushing an update to the system. It can also happen when the software or hosting server is unexpectedly down.

Reputable vendors have tools in place that monitor the performance of their software so that they can be proactive and solve issues as quickly as possible for their clients.

Uptrends says this about uptime:

“Although 100% uptime is the goal, the industry considers 99.999% uptime as high availability. Every website experiences downtime, planned or otherwise. Every website provider wants to keep uptime as high as possible, and rightfully so with the competitive nature of the Internet. Knowing that some downtime is expected, most brands try to meet a goal of 99.999% uptime. You may see this goal referred to as ‘five-nines availability’ or ‘high availability.’”

Terms to Know:

Uptime % = the percentage of time that a site/service is available

Page load time = on average, how quickly the pages (or screens) load

Questions to Ask:

• What is the platform’s historical up-time? (and ask if this includes when they’re doing maintenance updates)
• What is the platform’s average page load time?
• What types of software performance monitoring are in place?

Many agencies fail to ask these questions ahead of time and, unfortunately, find out after the fact when they've bought into an untrustworthy system. Don't let this happen to you — ask up front!

3. Data Encryption & Security

Here’s the nitty-gritty of this blog post. We're back to that question: How secure is it? As a health insurance agency that manages sensitive client information, you must be confident that your data and files are protected no matter how or where you access the software.

There are two items to consider here: encryption of your data and how it’s accessed — or, better put, how easily someone who shouldn’t be accessing it potentially could!

Terms to Know:

Data In Transit / Data At Rest = In Transit is data transmitted from your computer or mobile device (office, coffee shop, home) up to the server or site (both data & files), whereas At Rest is data being stored within the site

Data encryption (SSL/TLS) = provides a secure way to communicate; reputable companies employ this level of encryption to protect data

Two-step / Two-factor authentication = a second line of defense beyond your username and password; many services send you a unique link or text message that you can utilize to gain access to your account

IP restriction = (sometimes called whitelisting) only allows specific IP addresses to log in to your account (i.e. home, office, etc.)

Questions to Ask:

• How are data/files protected in transit and at rest?
• What options does the company offer for additional data security?

This is the nitty gritty because it’s the area most people ask about, but it’s also potentially the most misunderstood. In short, you want a vendor who knows exactly how your data is encrypted and who provides two-step or two-factor authentication. These are both solid ways to guard against those who shouldn’t be accessing your data.

4. Data Privacy & Ownership

We covered data privacy and ownership of your data, in general, above and this information is covered in detail within a vendor's SOC 2 report. However, there are additional areas to cover about access from within your own company and overall data ownership.

Depending on your agency's structure, you may want the ability to restrict access to certain parts of the system from certain people or groups of people in your agency. For instance, agencies often restrict agents’ access to solely their own books of business. Or, some agencies want each department only to be able to see certain pieces of the system.

It can also be important to understand if the software you’re considering is owned by an insurance agency, upline (IMO/FMO), or carrier. With a goal of best serving their agents, IMO/FMOs are increasingly creating their own technology solutions or reconfiguring generic technology solutions to offer their downlines. While this can be helpful to downlines, there are important details to consider.  Many agents have multiple upline (IMO/FMO) partners, so you’ll want to ensure you’re using a solution that allows you to manage your book of business’s data together, in a central location, rather than siloed spaces.

That’s why many agencies choose to use an AMS provided by an independent technology company so that while their IMO/FMO and carrier partnerships may fluctuate and evolve, their book of business remains in a secure, central location without interruption. 

Ownership of your data seems simple. But you need to ask upfront who owns your data once it's put into any system. Are there easy ways to export all of your data if required? All of this is important for data privacy and is an important area to cover with vendors.

Terms to Know:

Data Archive (Backup Copy) = full backup of your data

Questions to Ask:

• Who has access to my data?
• Can I restrict access to certain parts of the system from others in my organization?
• Can I export my data without charge?
• Who owns my data? ← the most important question to ask!

This is another area agencies can be blindsided by if they don’t ask the right questions upfront. Be sure you’re comfortable with the answers to these questions before you move forward with a vendor.

5. Regular Software Maintenance & Updates

Technology changes rapidly, and as you enjoy new features and updates within the system, these changes require updated security measures. Software also has to be patched to guard against new vulnerabilities.

Think of it like when your computer updates and restarts. If these aren’t done, your computer can become vulnerable to new security issues.

Ask any AMS vendor about their planned system updates (the fun stuff!) AND their maintenance schedule.

Terms to Know:

Software Patches = updates made to the system to guard against newly found vulnerabilities

Questions to Ask:

• When does the company update the system? And how long is the downtime for this?
• How does the company ensure data is protected from newly found vulnerabilities?
• How often does the company deploy updates?
• How does the company handle security incidents?

Make sure your vendor keeps up with software updates and schedules them to minimize any impact on your daily business operations.

6. Vendor Reputation

This is the most crucial section of this post; vendor reputation is everything when it comes to security, reliability, and everything else we’ve discussed. It’s ultimately how you'll feel confident you’re making the right decision overall.

Ensure you understand who is behind the company (use the Domain Registration WHOIS lookup). Be sure to look them up on LinkedIn to see what their company page looks like and who works there. In today's age of remote work, vendors may or may not have a physical office. However, their LinkedIn page can still serve as an excellent resource for identifying a count of employees and the makeup of those employees (look especially for the makeup of the product team).

Also, check out their testimonials on their website, Google, and other review sites to gauge the relationships they have with their customers. Search through the reviews for mentions of the reliability of their software and the helpfulness of their team — the human element of the software is still SO important!

Terms to Know:

Domain Registration (WHOIS) = a lookup of who owns a particular domain or web address

Questions to Ask:

• Who is the team behind the organization?
• Is the company a true third-party organization or do they have ties to an upline, carrier, etc.?
• What does the company's employee makeup (job titles) look like?
• What is in the Terms of Use and Security Policy?
• Does the company have any testimonials or case studies about your platform’s security?

Vendor reputation isn’t generally the first thing that comes to mind when people think of software security, but it’s absolutely important. So, do your research!

Choosing a new software partner is a big deal and a decision your agency should not take lightly. Now that you have all of this information, we hope you feel equipped to walk into conversations with software vendors knowing your security terms and which questions are most important to ask, so you can find the best agency management system for your organization.

This blog was originally published on December 15, 2021, and most recently updated on October 15, 2024.

Posted by Sarah Rosonke on Tuesday, October 15, 2024 in Data Management & Security

1. data management
2. vendor vetting