Insurance Spreadsheet Risk Management & EUC Data Governance
Spreadsheet risk is especially high in the insurance industry due to Excel’s ubiquity and role in supporting operationally critical business processes.
Insurance Data Governance
Those in the finance department use spreadsheets for forecasting and financial reporting.
Others like actuaries and underwriters use them heavily for actuarial and underwriting models, respectively.
Finance and non-finance functions alike, use spreadsheets to store and work with personally identifiable information (PII).
All of this has been the status quo, contributing to a growing appetite for data.
Insurers continue to invest in data- related initiatives across cybersecurity, cloud computing, data privacy, and data analytics. With the pandemic, the shift to remote working has quickened digital transformation with insurers and others alike.
Among the financial services sector, the insurance industry has some of the largest, most elaborate collections of data. This data is used by insurers for underwriting, rating, claims, and more. It plays an important role in decision making and reporting processes while also being highly sensitive.
It is not surprising that these potential vulnerabilities have always caught the attention of regulators.
Regulators like EIOPA, PRA, and BaFin have included data governance requirements in their directives targeted at insurance companies. Insurers must now also comply with broader regulations such as the GDPR and CCPA for data privacy when handling personal data. They must do so while continuing to evidence the appropriate controls across financial reporting mandated by SOX, SAP, and IFRS.
Most, if not all, of these regulations have sections dedicated to data governance. Within this highly regulated industry, matters get even more complicated when the ubiquitous spreadsheet is considered.
Insurance Compliance Definitions
Insurance Regulatory Bodies
What is EIOPA?
The European Insurance and Occupational Pensions Authority (EIOPA) is an EU regulatory institution. EIOPA is responsible for oversight of insurance undertakings, reinsurance undertakings, financial institutions, occupational pension/ retirement funds, and insurance brokers.
What is the PRA?
The Prudential Regulation Authority (PRA) is a UK regulatory body. The PRA is responsible for supervision of financial institutions including banks, credit unions, insurers, and others.
What is BaFIN?
The Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) or Federal Financial Supervisory Authority is a regulatory body for Germany. BaFin is responsible for oversight of banks, insurers, and other financial institutions.
What is SOX?
The Sarbanes- Oxley Act of 2002, or commonly known as SOX, is a US law that redefined accounting, financial reporting, auditing, and other requirements for public companies.
What is SAP?
Statutory Accounting Principles (SAP) is a US accounting standard for insurance companies. While built on the GAAP framework, SAP puts greater emphasis on solvency.
What is IFRS?
International Financial Reporting Standards (IFRS) are accounting standards used by public companies in many parts of the world. In the US, the SEC requires public companies to use GAAP.
What is the GDPR?
The General Data Protection Regulation (GDPR) is an EU regulation that aims to protect personal data and privacy of citizens in the European Economic Area (EEA).
What is the CCPA?
The California Consumer Privacy Act (CCPA) is a data privacy law for California residents.
Insurance Spreadsheet Management
Spreadsheets are widely used by insurers to store and process actuarial, financial, and personal data. These highly interconnected spreadsheets are also heavily used to manipulate and process policies, claims, and models as both inputs and outputs. For actuarial modelling, spreadsheet-based inputs often include:
- Mortality & Morbidity data
- Economic Scenario Generators (ESG)
- Policy data
- Claim data
- And other parameters
As many insurers come to learn, spreadsheets and other EUC applications lack controls. Applying them manually is far too heavy a burden given their complexity. This contributes to data quality issues, a lack of ownership visibility, and unclear access rights. Furthermore, many of the regulations listed above require historical detail to gauge completeness— something Excel does not offer.
Apparity was designed to efficiently manage and control spreadsheets and other EUC applications within the insurance industry. Apparity’s standard functionality allows insurance companies to automate and evidence data governance requirements in these general areas:
- Discovery Module:
Automatically create and maintain an inventory of spreadsheets and other EUC file types, including key file details.
- Structural Complexity Algorithm:
Determine the complexity of each identified file using custom evaluation parameters.
Qualitative assessment of file impact to capture relevant data from file owners. Enables a risk-based inventory based on both complexity and impact.
- Connection Explorer:
Visually chart connections between discovered files to map data lineage. Provides a clearer understanding of upstream & downstream dependencies.
Automatically capture and track all file copies while allowing user comments to enable collaboration and audit trails.
- Version History:
View, export, and restore a file to a previous version or copy of a file.
- Zero Loss Fingerprinting:
Monitored files are always tracked, regardless of file save location or how it is named. Ensures there are never ‘lost copies’ of a file.
- Change Logs:
Real-time and in-session view of all critical changes made to a file. Filtering and sorting helps identify potential mistakes or unauthorized changes.
- Noise Filtering:
Users only see critical changes that are relevant to them configured against company EUC policy.
- Automated Review and Approval Workflow:
Ensures critical changes are properly signed off with included audit trails.
- File Access & Change Reports:
Track and log all users who update critical files.
- Unexpected Change Warnings:
Flag any changes made by non- Apparity users who might be outside the controls framework. Apparity checks & monitors against all existing access control frameworks. Ensures access will never be granted to a file unless the user has access to the original file location.
- Automated PII identification:
Allows teams to understand which files have sensitive data that should not be accessible to broader audiences.