Why are catastrophe (CAT) teams an identity and access risk?

August 17th 2021

While some insurance companies have full-time CAT teams, others use a variety of CAT team staff, part-time use of staff from other departments, and third-party adjusters (TPA). While each organization is different, CAT teams can pose both a vendor access risk and an internal short-term “mover” identity and access risk.

Third-Party Adjusters (TPA)

As the name implies, TPAs, or independent adjusters, are claims handlers that work on behalf of an insurer but are not directly employed by the insurance company. Functionally, insurers outsource the claims-handling work then the TPA gives the insurance company the relevant information.

As part of their job, the TPA needs to:

  • Review insurance policy and coverage terms
  • Access policyholder name and address
  • Investigate facts, liability, and damages
  • Evaluate whether the policy terms cover the liability based on the facts
  • Set reserves
  • Pay the claim

To do this, the TPA then needs access to sensitive policyholder information such as:

  • Name
  • Address
  • Social security number
  • Bank account information
  • Healthcare information

Because the insurance company does not directly employ the TPA, it needs to find a way to control the TPA’s access to systems, networks, and applications.

Internal Movers

Another way many insurance companies manage CAT teams is by leveraging their current claims adjusters. This model gives additional internal claims handlers additional access to applications. During the Coronavirus Pandemic, for example, an insurer may see fewer auto claims and choose to give auto adjusters some of the catastrophe claims.

By doing this, the insurance company gives access to CAT team resources such as databases or claims applications. However, once the claims have been paid and cleared, the insurer needs to ensure that they revoke that additional access.

    Keep up to date with Davies