An Insurance Company Strengthens HIPAA and NYDFS Compliance and Security Requirements with SCORE Assessment

September 19, 2018

An insurance company that is an Itasca, IL-based General Agent and Program Administrator helps over 4,000 insurance brokers find the right insurance products for their clients. Since 1952, the company’s mission has been to provide their clients with best-in-class products and service.

As Insurance continues to be one of the most regulated industries, the company was facing increasing pressure to harden their security posture to meet new compliance regulations and standards, as well as support their mission of providing best-in-class products and services to their clients.

In response to changing compliance laws, the company was investing more time in manually managing and monitoring security issues. This process was not only labor-intensive but prone to human error. It was estimated that, for just one of their many providers, the company's internal IT team was spending more than 10 hours per week on compliance-related activities. Additional hours would be needed to document each manual process as well.

Beyond compliance challenges, the company had their own set concerns with how well they were defending against modern threats. As the sophistication, scope, and aggressiveness of cyberattacks continued to intensify, the serious financial and reputational risks associated with a security breach continued to escalate.

With the government issuing the New York State Department of Financial Services (NYDFS) Cybersecurity Regulation in August of 2017, which required companies like this one to comply with new cybersecurity standards, this company knew quick action was required to remain compliant.

Getting Started with Advanced Cyber Security

The company recognized that their current tools and processes were not sustainable for meeting compliance regulations and managing the ever-evolving threat-landscape of today. While they were eager to make a change, like most midsize organizations, they struggled with knowing where to begin.

They knew they could benefit from working with a partner who had been successful at improving the security “score” of countless other customers, so they tapped their existing relationship with BDO Digital as a Managed Services customer to help them evaluate, analyze, and roadmap a solution to bring them to compliance and reduce their risk of a cyberattack.

Threat-Based Security Scoring

BDO Digital’s unique approach to threat-based security scoring used a customized SCORE framework to evaluate the company's ability to defend against modern security threats, establish how their current solutions were protecting them, and show how to leverage Microsoft 365 to increase their protection.

BDO Digital performed a data-driven assessment of over 210 of the company's security controls (e.g., authentication methods, physical access, role-based permissions) against the company’s most common security threats (e.g., credential harvesting, ransomware/malware, accidental data leaks). SCORE was then used to establish a baseline using the following assessments:

  • Sensitive Data Identification: BDO Digital reviewed the data that would be most enticing to attackers and that had the most potential to cause harm if compromised.
  • Control Review: BDO Digital assessed the company's environment and identified the status of 210 potential security controls.
  • Organizational Readiness by Attack Method: BDO Digital classified the attack strategies the organization’s environment was vulnerable to and mapped them back to controls they already had in place.
  • Risk Protection Grading: BDO Digital provided a calculation of the company's current state of protection in their security controls.
  • Evaluation and Recommendations: BDO Digital mapped technology investments that would improve their controls and calculated a new potential SCORE for their organization.

Improving Cybersecurity in the Cloud

One of the biggest initiatives that resulted from the SCORE assessment was to move the company's most mission-critical business applications to Azure in the cloud. BDO Digital leveraged Azure Active Directory, which would reduce the number of security solutions required to manage the customer environment. This enabled the company to leverage Microsoft 365 to enhance and automate many of the security controls that were needed to meet compliance and protect against modern threats. Technical integrations including Intelligent Security Graph, Secure Score, Azure SQL Database, App Service, and Functions were also implemented.

BDO Digital’s SCORE security solution allowed us to clearly identify where we should be making security investments and how to get the maximum benefit with Microsoft solutions. Our security needs around NYDFS are important to our business. BDO Digital has been able to help us increase our overall security posture and meet compliance regulations before federal deadlines.

- The Company's Chief Operations Officer

Tapping Into Microsoft 365 to Make Security Better and Easier

By leveraging the built-in security features of Microsoft 365, the compnay can now rely on self-healing technology to monitor, detect, diagnose, and resolve issues without requiring IT intervention. In the event that the technology is unable to fix the issue, the system will proactively alert the right teams to ensure the problem is resolved quickly.

This use of automation and artificial intelligence in Microsoft 365 has not only reduced the risk of cyberattack, but also freed up their internal IT resources to focus on strategic initiatives rather than manually completing compliance-related activities. What once took 10 hours to respond to an audit now takes less than 1 hour; and due to the effectiveness of the intelligent cloud, the company is now able to meet auditor’s expectations with virtually no follow-up work required.

Microsoft, along with BDO Digital, have a value proposition that allows us to focus on our business while they focus on providing us with seamless, secure, and scalable solutions so that we can continue our cloud journey.

- The Company's Chief Operations Officer

Ongoing Security Management

Beyond addressing their immediate security, compliance, and operational concerns, the company's security engagement with BDO Digital has proven to be a powerful partnership as the company continues to plan for the future.

The team is able to use benchmarks and goals established in the SCORE assessment to help their team communicate ongoing progress to the board. With the help of BDO Digital’s Managed Defense, the organization continues to build a more flexible, stable, and reliable architecture in the cloud to streamline business operations and protect against modern threats.

We look forward to partnering with BDO Digital and Microsoft to incorporate additional Microsoft 365 features to empower our employees, along with Azure solutions to better securely engage our customers.

- The Company's Chief Operations Officer