Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Reinsurers

    This message was posted by a user wishing to remain anonymous
    Posted 14 days ago
    This message was posted by a user wishing to remain anonymous

    Has anyone had success performing information security reviews of reinsurers?  We're having challenges as older reinsurance contracts/treaties do not contain security control requirements nor risk assessment rights, though the companies do receive sensitive data for claims verification processing.  Curious what other are doing to gain assurance that your reinsurers have adequate controls in place to protect data.


  • 2.  RE: Reinsurers

    Posted 9 days ago
    Hi there,

    Even though your contracts do not explicitly contain information security requirements, that should not prevent you from asking your reinsurers to demonstrate they have sufficient data security controls. Cybercrime and information security breaches have hit an all-time high. Any firm handling sensitive or confidential data should anticipate the need to evidence their data security controls.

    The question is if your reinsurers won't provide the information because it isn't in their contract, or if there is a hesitancy to ask without the leverage of the contract? In either case, my advice is to put your request in writing and ask for a formal response in writing. If they decline to provide you with the information, consider your options for renegotiating or terminating the contract as soon as practical. Another option may be to ask for a signed attestation that meets your stated requirements (put them in writing).

    I hope that is helpful, but I would love to hear from other members with reinsurer experience.




  • 3.  RE: Reinsurers

    This message was posted by a user wishing to remain anonymous
    Posted 9 days ago
    This message was posted by a user wishing to remain anonymous

    Thanks for your thoughts. Yes we have asked our reinsurers, in writing, to complete a security questionnaire but nearly all declined to cooperate citing no regulatory or contractual obligation to provide such information.  An attestation letter was going to be our next step...it's better than nothing but ideally we'd prefer to obtain a stronger level of assurance.