Article
Establishing a framework for practical data governance in the insurance industry
Dec 04, 2023 · Authored by Russell Sommers, Nathan Olson
Data governance tends to be thought of as an information technology (IT) responsibility, when in reality, it’s a business issue. Many insurers have found success by harnessing and using data, enabling leaders to make data-driven business decisions to better serve policy holders and execute strategy. As insurance organizations continue to increasingly use data, there is a heightened regulatory focus on the handling of sensitive information.
Up until recently, many have focused on implementing a cybersecurity program designed to identify and protect non-public information and maintain the integrity of information systems, as well as the ability to detect, respond to and recover from cybersecurity events in a timely manner. From there, they would respond to and recover from those events. A new area of focus is the governance and use of business data, with a specific emphasis on the types of data being collected and used, the purpose behind the collection of that data, how access to that data is controlled and the controls in place to ensure that the use of data doesn’t introduce bias into decision making and/or create disparate impact to groups of users.
Why is data governance so important within the insurance industry?
In 2022, nearly 422 million individuals were impacted by U.S.-based data compromises/breaches. Despite this, the use of data globally is increasing rapidly. By 2025, global data is predicted to increase to 175 zettabytes – up from only 33 zettabytes in 2018. The majority of our clients have access to more data than they can effectively utilize, and they seek insights to learn more about the different actions they should take to better handle and analyze that data to add value to their organization.
In the insurance industry, data governance is an important component of ensuring the consistent treatment of data to uphold compliance responsibilities and support strategy execution. It is the process of managing the availability, usability, integrity and security of an organization’s data. Developing a strong data governance framework involves defining policies, procedures and standards for proper data management while also assigning roles and responsibilities across your team to ensure that data is properly managed throughout its lifecycle, as well as, the tooling and metrics to assess efficacy.
Two important components of establishing a data governance framework are data literacy and data ownership. By focusing on data literacy, your organization will be able to identify opportunities to enable better information access, stewardship and security. Everything that helps your organization engage better with data to better understand it from a knowledge perspective, as well as finding the data from a resource perspective, is a part of data literacy. This will enable you to drive data decisions on a consistent basis and it is a key part of a data governance framework. It is also important to ensure that the individuals working within your organization understand the data they are using and how to properly analyze it. From a change management perspective, any new policies or procedures you attempt to implement will not be effective without an adequate level of data literacy.
It is also important to establish a framework for data ownership to align business stakeholders with information technology, therefore providing guidance and resources for key data assets. This side of the data management spectrum focuses on accountability and visibility into who ‘owns’ certain data assets within your organization. Specific individuals and teams need to police how data is used, managed, viewed and analyzed to ensure accountability and to be considerate of the proper handling of sensitive information. Similar to data literacy, for data ownership, it is essential that everyone within your organization knows who is responsible for certain data assets and who they can reach out to when necessary.
Data governance covers a broad area, including everything from policies, standards and strategy to management and support, data quality control and privacy, compliance and security. It is crucial that insurance organizations practice data governance in order to increase data volume, improve self-service reporting and data analytics and stay on top of regulatory and compliance requirements.
As the use of data becomes more necessary to execute strategy, the opportunities to harness your organization’s data to further grow your business will grow exponentially. Technologies like machine learning (ML) and artificial intelligence (AI) are playing bigger roles in how we use data, and they represent significant opportunities and areas for growth for insurance companies. A strong data governance framework needs to be established before your organization starts to delve into these new technologies.
At Baker Tilly, our data governance framework goes hand in hand with our overall data strategy. Having one standard policy in place across the entire organization concerning the handling of data is the best way to ensure we are taking accountability and ownership over our data. Ultimately, we feel that the ownership of data governance should be held within the hands of the business instead of the IT team so that it is properly represented by stakeholders who have detailed ownership and accountability over those assets.
Insurance industry regulations and guidance
The insurance industry is highly regulated, with several federal and state regulations that govern the handling of sensitive data. By establishing a robust data governance framework, you will be able to ensure that your organization complies with all of the necessary regulations and avoids any potential non-compliance penalties.
In Oct. 2017, the National Association of Insurance Commissioners (NAIC) adopted the Insurance Data Security Model Law (Model #668) in response to several major data breaches involving large insurers that exposed and compromised the sensitive information of millions of insurance consumers. The model requires insurers and other entities licensed by a state department of insurance to develop, implement and maintain an information security program based on its risk assessment. There must be board oversight, an incident response plan in place, program adjustments where necessary and annual certifications.
On Aug. 14, 2020, the NAIC adopted principles for artificial intelligence (AI) and its use. These principles require insurers to:
- Proactively avoid discrimination against protected classes
- Monitor AI operations and resolve harmful, unintended consequences
- Disclose use of AI and give consumers an opportunity to inquire/challenge AI decisions
- Embed risk management throughout the AI lifecycle
These principles are not yet a law and are not enforceable, but they set out the regulators’ expectations and will form the basis for future regulatory workstreams. The NAIC created the Fair and Ethical, Accountable, Compliant, Transparent and Secure (FACTS) guidelines to establish consistent high-level guiding principles for insurance organizations that play an active role in the AI system lifecycle – otherwise known as AI actors.
- Fair and ethical: AI actors should respect the rule of law throughout the AI lifecycle. This will include, but is not limited to, laws and regulations with respect to insurance
- Accountable: AI actors should be accountable for ensuring that the proper functioning of AI systems operate in compliance with all stated principles, the risk-based situational context and evolving best practices
- Compliant: AI actors must have specific knowledge of all applicable federal and state insurance laws and regulations
- Transparent: AI actors should commit to transparency and responsible disclosures regarding AI systems to relevant stakeholders while maintaining the ability to protect confidentiality and adhere to individual state regulations in all states where AI is deployed.
- Secure, safe and robust: AI systems should be robust, secure and safe throughout the entire lifecycle so that in conditions of normal use the AI system can function accurately and appropriately.
At the recent 2023 NAIC summer national meeting, the NAIC issued a bulletin concerning the use of AI systems and the corresponding regulations. The Department encourages the development and use of innovation and AI systems that contribute to safe and stable insurance markets. However, the Department also expects that insurers that use AI systems to support decisions that impact consumers will do so in a manner that complies with and is designed to assure that the decisions made using those systems meeting the requirements of all applicable federal and state laws.
The Department recognizes the Principles of Artificial Intelligence that the NAIC adopted in 2020 as an appropriate source of guidance for insurers as they develop and use AI systems. Those principles emphasize the importance of fairness and ethical use of AI, accountability, compliance with state laws and regulations, transparency and a safe, secure, fair and robust system.
Here is a full recap of the NAIC’s 2023 summer national meeting.
Outcomes of governance
Aspects of a strong data governance program include well-defined roles and responsibilities, ownership by one team to ensure accountability, protection of sensitive information and the continuous monitoring of data quality. Before you dive into developing a data governance framework, it is important to have the right structure in place. Spend time understanding current pain points and strengths and weaknesses from a discovery perspective. While your organization may have some immediate goals regarding data quality or even self-service reporting, it is important to keep the long-term in mind and have a perspective on the target state for data usage and governance. A data governance program is not a one-time initiative that you implement and then move on. Your team will need to consistently build upon it as time goes by. Because of this, it is important to take some time to really set a plan in place for where you want your data governance program to be in the future.
Having a strong data governance framework in place will protect your organization in the short and long term. Refer to our data solutions webpage for more information. If you have any questions regarding data governance, schedule a 30-minute meeting with one of our insurance industry specialists.
Our insurance and data governance specialists recently hosted a webinar on this subject. Below you will find the webinar recording.