Managing and Protecting Data

Data Is Our Business

Throughout our history, Verisk has been committed to responsible data stewardship, a legacy that originated nearly 50 years ago when the company was appointed statistical agent on behalf of U.S. state insurance regulators.

Today, helping customers use data to analyze and manage risk is at the core of our business worldwide—in insurance, banking and financial services, energy and natural resources, environmental management, and supply chain risk.

Behind the scenes, the long-term investment Verisk has made in its data management infrastructure has been matched by significant investment in the areas of security, education, compliance, and audit. Moreover, despite numerous acquisitions of previously independent businesses—each with a different level of sophistication in managing its technological environment—all have been obligated to embrace responsible data stewardship and commit to transitioning to Verisk’s high operational standards and procedures.

Our Commitment

Verisk is committed to safeguarding the information assets entrusted to our care. It is our intention and duty to:

  • process data and transactions in accordance with agreements and client expectations
  • diligently protect the confidentiality of data against unauthorized disclosure and usage
  • handle and process personal data in compliance with legal and regulatory requirements
  • use appropriate technical and organizational measures to protect against the accidental loss, damage, or destruction of data
  • provide highly trusted data and data services in terms of accuracy, timeliness, completeness, and relevance
  • maintain a properly trained workforce committed to achieving the high data management and security standards we have set
  • manage third-party vendors with the same diligence and controls required to ensure the confidentiality, integrity, and availability of data

Security and Privacy Policies

Verisk has implemented a comprehensive set of data security and privacy policies addressing all legal and regulatory requirements as well as incorporating best practices for effective data stewardship. These include an Enterprise Information Security Policy Framework, Enterprise Incident Response Standard, Data Classification and Handling Policy, Global Privacy Policy, and Workforce Information Handling Policy.

Annual Security and Compliance Summit
At Verisk’s annual Security and Compliance Summit, leaders from across the enterprise discuss the security and compliance risks we face and collaborate on the development of effective risk management plans.

In 2017, more than 70 attendees representing Verisk’s global operations convened to hear leading experts discuss how to address the growing number and types of cyber threats; maintain effective oversight of third-party providers; and respond to the changing regulatory landscape in the European Union, particularly with implementation of the General Data Protection Regulation (GDPR) in 2018. Attendees also saw real-time demonstrations of best-in-class security tools used by Verisk to prevent, detect, contain, and remediate cybersecurity attacks across the enterprise.

Security and Privacy Training Initiatives
All Verisk employees complete annual Security Awareness and Incident Reporting training designed to ensure they can identify potential security issues, take appropriate actions to prevent incidents, safeguard the data and technology with which they work, and understand how and when to report any potential privacy or security incidents.

How We Manage Risk

Verisk manages a framework designed to ensure confidentiality, integrity, and availability. Based on customer and business segment requirements, our framework aligns with multiple standards and globally recognized best practices that include International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) standard 27002 and guidelines from the National Institute of Standards and Technology (NIST).

Confidentiality covers the security and privacy of confidential information, including regulated information such as personally identifiable information and personal health information. We employ a layered security architecture that includes organizational, process, physical, logical, and monitoring controls designed to protect data assets and quickly detect and respond to threats. Moreover, we follow an enterprise data classification and handling policy that ensures a consistent definition and baseline protection across the entire organization.

Integrity involves maintaining the consistency, accuracy, and trustworthiness of data throughout its entire life cycle. This includes security controls designed to ensure that data cannot be modified in an unauthorized or undetected manner.

Availability is achieved by rigorously maintaining all hardware, performing timely hardware repairs when needed, ensuring a certain measure of redundancy and failover, providing adequate communications bandwidth, implementing emergency backup power systems, keeping current with all necessary system upgrades, and guarding against malicious actions such as denial-of-service attacks.

Delivery of the following services and controls supports one or more of the aforementioned objectives:

  • “defense in depth” protection services
  • security and privacy practices and services
  • incident management services
  • data quality standards and practices
  • quality assurance services
  • physical and environmental services
  • backup and restore services
  • server configuration and software distribution services
  • dedicated service desk support
  • business continuity and disaster recovery services

External Audits, Certifications, and Attestations

AICPA Service Organization Control (SOC) 2 Report
The Verisk regional data centers have successfully taken part in annual Service Organization Control (SOC 2 type II) attestation examinations each year since 2011. The examination process includes a detailed description and independent attestation and testing of the controls and services adopted by Verisk management. This attestation is performed in accordance with the trust services principles of the AICPA (Association of International Certified Professional Accountants) covering security, privacy, confidentiality, integrity, and availability.

ISO 27001:2013 Certification
Verisk has implemented an Information Security Management System (ISMS) in accordance with ISO 27001:2013 standards. The ISMS is an overarching management framework through which the organization identifies, analyzes, and addresses its information risks. The ISMS ensures that the security program is fine-tuned to keep pace with evolving security threats, vulnerabilities, and business impacts. Certification of compliance with this standard requires successful completion of a formal audit by an independent and accredited certification body.

International Data Transfers

Verisk complies with all laws, conventions, and guidelines governing international data transfers. Verisk business units are Privacy Shield–certified and have adopted appropriate policies, procedures, contracts, and security measures to ensure that data transferred from international locations to the United States meets government and client expectations.