Managing and Protecting Data

Data Is Our Business

Throughout our history, Verisk has been committed to responsible data stewardship, a legacy that originated in ISO’s role as statistical agent for the property/casualty insurance industry. Appointed as such by regulators in each of the 50 states, the District of Columbia, and the Commonwealth of Puerto Rico, the company has provided this service on behalf of the industry and its regulators uninterrupted for more than 40 years.

Today, thousands of insurers rely on Verisk data and analytics to write property/casualty insurance policies and pay claims. For example, ISO ClaimSearch®, the world’s largest database of claims information, serves more than 90 percent of the U.S. property/casualty insurance industry by premium volume, in addition to 27 state workers' compensation funds and many law enforcement agencies involved in investigating and prosecuting insurance fraud. Helping customers use data to analyze and manage risk is at the core of our business in financial services, and throughout the supply chain.

Behind the scenes, the long-term investment Verisk has made in its data management infrastructure has been matched by significant investment in the areas of security, education, compliance, and audit. Moreover, despite numerous acquisitions of previously independent businesses — each one representing a different level of sophistication in terms of managing its technological environment — all have been expected to embrace the obligation of responsible data stewardship and commit to transitioning to Verisk’s high operational standards and procedures.

Our Commitment

Verisk is committed to safeguarding the information assets entrusted to our care. We will:

  • process your data and transactions in accordance with our agreements and your expectations
  • diligently protect the confidentiality of your data against unauthorized disclosure and usage
  • handle and process personal data in compliance with legal and regulatory requirements
  • use appropriate technical and organizational measures to protect against the accidental loss, destruction, or damage of your data
  • provide highly trusted data and data services in terms of accuracy, timeliness, completeness, and relevance
  • maintain a properly trained workforce committed to achieving the high data management and security standards we have set
  • manage our third-party vendors with the same diligence and controls required to ensure the confidentiality, integrity, and availability of your data

Security and Privacy Policies

Verisk has implemented a comprehensive set of data security and privacy policies addressing all legal and regulatory requirements as well as incorporating best practices for effective data stewardship. These include an Enterprise Information Security Policy Framework, Enterprise Incident Response Standard, Data Classification and Handling Policy, Global Privacy Policy, and Workforce Information Handling Policy.

How We Manage Risk

Verisk manages to a framework that is designed to ensure confidentiality, integrity, and availability. Based on the requirements of our business segments and customer requirements, our framework aligns with multiple standards and globally recognized best practices that include International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) standard 27002 and the National Institute of Standards and Technology (NIST).

In addition, Verisk has a strong governance (responsibility and accountability) process in place that follows The Three Lines of Defense model, a model which distinguishes among three groups (or lines) involved in effective risk management:

  • Functions that own and manage risks: Operational managers own and manage risks. They are also responsible for implementing corrective actions to address process and control deficiencies.
  • Functions that oversee risks: Dedicated security and compliance teams are embedded in several of our member companies, and our Enterprise Risk & Compliance department has responsibility for companywide oversight, monitoring, and applying a consistent risk management framework including risk metrics and reporting.
  • Functions that provide independent assurance: The Verisk Internal Audit department performs objective, risk-based engagements across key operational areas and uses Continuous Transaction Monitoring (CTM) software, among other tools. The department comprises seasoned professionals, led by the Chief Internal Auditor, and reports directly to the Audit Committee of the Board of Directors. Its charter — which defines the mission, scope, accountability, authority, independence, responsibility, and standards of audit practice — is reviewed and approved by the Audit Committee of the Board of Directors each year.

Confidentiality, Integrity, and Availability

Confidentiality covers the security and privacy of confidential information, including regulated information such as personal identifiable information (PII) and personal health information (PHI). We employ a layered security architecture including organizational, process, physical, logical, and monitoring controls designed to protect data assets and quickly detect and respond to threats. Moreover, we follow an enterprise data classification and handling policy that ensures a consistent definition and baseline protection across the entire organization.

Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. This includes security controls designed to ensure that data cannot be modified in an unauthorized or undetected manner.

Availability is achieved by rigorously maintaining all hardware, performing timely hardware repairs when needed, providing a certain measure of redundancy and fail-over, providing adequate communications bandwidth, implementing emergency backup power systems, keeping current with all necessary system upgrades, and guarding against malicious actions such as denial-of-service (DOS) attacks.

Delivery of the following services and controls support one or more of the aforementioned objectives:

  • “Defense in Depth” protection services
  • security and privacy practices and services
  • incident management services
  • data quality standards and practices
  • quality assurance services
  • physical and environmental services
  • backup and restore services
  • server configuration and software distribution services
  • dedicated service desk support
  • business continuity and disaster recovery services

External Audits, Certifications, and Attestations

AICPA Service Organization Control (SOC) 2 Report
The Verisk regional data centers have successfully taken part in annual Service Organization Control (SOC 2 Type II) Attestation examinations each year since 2011. The examination process includes a detailed description and independent attestation and testing of the controls and services described by Verisk management. The report itself is issued in accordance with the AICPA trust services principles and is provided to our customers and other applicable stakeholders.

Verizon Cybertrust Security Certification
As a certified customer, the Verisk Analytics Regional Data Centers have had their security controls, policies, and procedures examined, measured, and validated against a stringent set of essential practices as defined by Verizon.

In Verizon’s opinion, Verisk has taken appropriate and acceptable measures to meet the requirements of Verizon’s Enterprise Security Management Program and, thus, is permitted to display the Verizon Enterprise Certification Seal. This label demonstrates that Verisk’s Regional Data Centers have made security a priority and employed recognized security processes and technologies to maintain a proactive and comprehensive information security program.

International Data Transfers
Verisk complies with all laws, conventions, and guidelines governing international data transfers. Despite termination of the E.U.–U.S. Safe Harbor Program, Verisk has adopted appropriate policies and procedures, contracts, and security measures to ensure that data transferred from international locations to the United States meets government and client expectations.

Annual Security and Compliance Summit

At Verisk’s annual Security and Compliance Summit, leaders from across the enterprise discuss the security and compliance risks we face and collaborate on the development of effective risk management plans.

This year, more than 60 participants from ISO, 3E, AIR, Argus, Xactware, Wood Mackenzie, and other Verisk corporate and business areas heard leading experts in the industry discuss how to address the growing number of cyber threats, the potential risks arising from the use of third-party providers, the changing regulatory landscape affecting data transfers in the European Union, and common workplace ethical dilemmas.

Annual Security and Compliance Summit
Mark Magath, senior vice president, Risk and Compliance, addresses attendees at the annual Security and Compliance Summit.

Presentation on geopolitical risks
James Lockhard Smith, associate director at Verisk Maplecroft, gives an insightful presentation on geopolitical risks.

Security and Privacy Training Initiatives

All Verisk employees complete annual Security Awareness and Incident Reporting training designed to ensure they can identify potential security issues, take appropriate actions to prevent incidents, safeguard the data and technology with which they work, and understand how and when to report any potential privacy or security incidents. Verisk conducts at least one “phishing assessment” annually to gauge workforce awareness of the potential security threat posed by phishing and spear phishing e-mails. As part of the assessment, employees receive awareness training on how to identify phishing e-mails and what actions to take if they suspect they have received a phishing e-mail.

Top

“Verisk is committed to safeguarding the information assets entrusted to our care.”

Mark Magath
Senior Vice President, Risk and Compliance
Verisk Analytics