Gain’s founding six years ago coincided with an increased focus on cybersecurity by our clientele. While many carriers operate in New York and are subject to 23 NYCRR Part 500, some are motivated by industry best practices in recognition of the extreme risks presented by a cybersecurity breach, while yet others simply have the understandable goal not to be front page news.
By way of a little background, a typical Enterprise Risk Management (ERM) framework attempts to quantify the Impact of a particular event, often calculating this metric by assigning numerical values to the Likelihood and Severity of each risk and multiplying the two values.
By way of an example: for an insurer, a cybersecurity event could be ransomware that locks its systems or a hack that exposes all of its policyholders’ PII or PHI on the dark web: it is the stuff of nightmares.
Security Considerations: Installed vs. Cloud software
Carriers manage and mitigate cybersecurity risk – and are legally obligated to do so under an increasing number of regulations – through carefully vetting the data security practices of their vendors.
An area of additional opportunity is presented by actively selecting the type of software for a particular use case.
In Gain’s market for Statutory Financial Reporting, there is a stark choice between legacy vendors which rely upon a client-server software delivery model, and modern software with a pure cloud-based application.
The security implications are significant.
With legacy software, users download and install software on their computers’ hard drives. Further, with each new release or update, the process repeats. In our market, this could occur dozens of times for each user every year: and, each time this occurs, there is a risk of introducing a virus or malware to the carrier’s system as the software sits on the company’s network, behind any safeguarding firewall.
Recognizing the extreme impact of introducing a virus into a company’s network, best practices for mitigating risk with legacy, installed software is to sequester and test each new release prior to installing or updating the application client.
Cloud-based software, by contrast, is delivered via a web browser. Accessing the application occurs through a web browser, and it is not installed on the user’s computer. (And in fact, it is agnostic as to operating system; Gain’s software works equally well on a Mac, PC, or Chromebook.)
Not only does this obviate the need to manage, review, and install updates, it also removes that risk that comes with installing software on a client’s system.
On the list of reasons why we are winning new business from legacy vendors, the inherent advantages of Gain’s system with respect to cybersecurity is increasingly cited in the purchasing decision.