Throughout our history, Verisk has been committed to responsible data stewardship, a legacy that originated in ISO’s role as statistical agent for the property/casualty insurance industry. Appointed as such by regulators in each of the 50 states, the District of Columbia, and the Commonwealth of Puerto Rico, the company has provided this service on behalf of the industry and its regulators uninterrupted for more than 40 years.
Today, thousands of insurers rely on Verisk data and analytics to write property/casualty insurance policies and pay claims. For example, ISO ClaimSearch®, the world’s largest database of claims information, serves more than 90 percent of the U.S. property/casualty insurance industry by premium volume, in addition to 27 state workers' compensation funds and many law enforcement agencies involved in investigating and prosecuting insurance fraud. Helping customers use data to analyze and manage risk is at the core of our business in financial services, and throughout the supply chain.
Behind the scenes, the long-term investment Verisk has made in its data management infrastructure has been matched by significant investment in the areas of security, education, compliance, and audit. Moreover, despite numerous acquisitions of previously independent businesses — each one representing a different level of sophistication in terms of managing its technological environment — all have been expected to embrace the obligation of responsible data stewardship and commit to transitioning to Verisk’s high operational standards and procedures.
Verisk is committed to safeguarding the information assets entrusted to our care. We will:
Verisk manages to a framework that is designed to ensure confidentiality, integrity, and availability. Based on the requirements of our business segments and customer requirements, our framework aligns with multiple standards and globally recognized best practices that include International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) standard 27002 and the National Institute of Standards and Technology (NIST).
In addition, Verisk has a strong governance (responsibility and accountability) process in place that follows The Three Lines of Defense model, a model which distinguishes among three groups (or lines) involved in effective risk management:
Confidentiality covers the security and privacy of confidential information, including regulated information such as personal identifiable information (PII) and personal health information (PHI). We employ a layered security architecture including organizational, process, physical, logical, and monitoring controls designed to protect data assets and quickly detect and respond to threats. Moreover, we follow an enterprise data classification and handling policy that ensures a consistent definition and baseline protection across the entire organization.
Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. This includes security controls designed to ensure that data cannot be modified in an unauthorized or undetected manner.
Availability is achieved by rigorously maintaining all hardware, performing timely hardware repairs when needed, providing a certain measure of redundancy and fail-over, providing adequate communications bandwidth, implementing emergency backup power systems, keeping current with all necessary system upgrades, and guarding against malicious actions such as denial-of-service (DOS) attacks.
Delivery of the following services and controls support one or more of the aforementioned objectives:
AICPA Service Organization Control (SOC) 2 Report
The Verisk regional data centers have successfully taken part in annual Service Organization Control (SOC 2 Type II) Attestation examinations each year since 2011. The examination process includes a detailed description and independent attestation and testing of the controls and services described by Verisk management. The report itself is issued in accordance with the AICPA trust services principles and is provided to our customers and other applicable stakeholders.
Verizon Cybertrust Security Certification
As a certified customer, the Verisk Analytics Regional Data Centers have had their security controls, policies, and procedures examined, measured, and validated against a stringent set of essential practices as defined by Verizon.
In Verizon’s opinion, Verisk has taken appropriate and acceptable measures to meet the requirements of Verizon’s Enterprise Security Management Program and, thus, is permitted to display the Verizon Enterprise Certification Seal. This label demonstrates that Verisk’s Regional Data Centers have made security a priority and employed recognized security processes and technologies to maintain a proactive and comprehensive information security program.
International Data Transfers
Verisk complies with all laws, conventions, and guidelines governing international data transfers. Despite termination of the E.U.–U.S. Safe Harbor Program, Verisk has adopted appropriate policies and procedures, contracts, and security measures to ensure that data transferred from international locations to the United States meets government and client expectations.
Annual Security and Compliance Summit
At Verisk’s annual Security and Compliance Summit, leaders from across the enterprise discuss the security and compliance risks we face and collaborate on the development of effective risk management plans.
This year, more than 60 participants from ISO, 3E, AIR, Argus, Xactware, Wood Mackenzie, and other Verisk corporate and business areas heard leading experts in the industry discuss how to address the growing number of cyber threats, the potential risks arising from the use of third-party providers, the changing regulatory landscape affecting data transfers in the European Union, and common workplace ethical dilemmas.
Security and Privacy Training Initiatives
All Verisk employees complete annual Security Awareness and Incident Reporting training designed to ensure they can identify potential security issues, take appropriate actions to prevent incidents, safeguard the data and technology with which they work, and understand how and when to report any potential privacy or security incidents. Verisk conducts at least one “phishing assessment” annually to gauge workforce awareness of the potential security threat posed by phishing and spear phishing e-mails. As part of the assessment, employees receive awareness training on how to identify phishing e-mails and what actions to take if they suspect they have received a phishing e-mail.