7 Important Data Security Features to Look for in InsurTech Providers

• October 1, 2025

By Rachel Stauffer

Independent insurance agencies are no strangers to the topic of data security. With cyber threats becoming increasingly sophisticated and dangerous, independent agencies are likely already giving clients advice for managing cyber risk—but are they taking steps to mitigate their own data security risks?

While there’s no way to guarantee your agency will never be susceptible to an attack on your systems or data, there are steps you can take to understand and increase the security of your client data. This includes choosing technology providers that offer strong data security features, as well as following best practices for data security at your agency.

One of the best things an agency can do to protect its clients’ data is to store it in an agency management system (AMS) that’s designed to keep data secure. Here are seven of the top data security features to look for in an AMS, customer relationship manager (CRM) or any other technology provider that houses client data:

1) Data encryption. Encryption is one of the most fundamental security measures technology providers can take to protect data. This is the process of encoding data using an algorithm to make it unreadable to outside parties.

Encryption protects data on desktop and cloud systems by preventing unauthorized entities from accessing the data without the correct decryption key. Think of it like writing a message to your friend using a code, which your friend must know to read the message.

Data is typically encrypted two times: when at rest—while stored within a system—and when in transit—while being transmitted between systems.

Data at rest, including data and attachments stored in a system, is typically encrypted either at the file level or the database level. Data in transit is usually encrypted using Hypertext Transfer Protocol Secure (HTTPS) and Transport Layer Security (TLS), which is an additional layer of encryption that provides end-to-end security for data in transit.

You may not realize it, but TLS is usually what protects sensitive information you enter on websites, like login or credit card information.

2) Multifactor authentication (MFA). Most technology users are familiar with MFA for logging in to systems, as many vendors now require users to verify themselves using a second method—usually a code sent via email or text. While it may feel like an extra step for users, MFA is one of the best ways to prevent unauthorized parties from logging into a system using a stolen password.

Check if your technology providers offer MFA or if it’s an option that can be enabled and customized for your agency.

3) Data masking. Many technology platforms also offer security features that mask sensitive data or personally identifiable information (PII) while it’s onscreen,  typically displaying it as dots or asterisks instead. This hides sensitive information such as social security numbers or dates of birth so that the information won’t be seen by others who may be looking at your screen.

Extra points if the platform allows you to copy and paste fields without unmasking them first, which will help you keep sensitive data hidden without adding extra steps to your workflow.

4) User permissions. One thing agencies may not think of as a security feature is the ability to control access to different features or data within a platform. It’s likely that not every employee at your office needs access to all features of the system. For instance, some users may only require viewing access rather than editing access, and some users may not need access to run reports.

It’s a good idea to start by providing the minimum access you think a user might need. You can always add permissions from there as the user encounters features they need to access.  

When evaluating a tech platform, ensure that users and permissions are easily viewable and manageable for administrators. For example, do they offer the ability to create user permission templates so you can quickly add a set of relevant permissions for different types of users like producers or customer service representatives (CSRs)?

5) Domain and Internet Protocol (IP) access rules. Now that many systems and tools are accessible by logging in to a browser, it can be more difficult for agency owners to ensure employees aren’t accessing sensitive data after hours or from outside the office. Tech providers can assist by providing the agency with controls to restrict access to specific network domains or IP addresses, thereby limiting where employees can log in from.

6) Data retention measures. Your AMS and other tech providers should have data retention measures in place so that your agency’s data is backed up in case of a cyberattack that affects the system.

Pay attention to the timeframe your provider backs up. Providers often use a rolling window, such as the last 30 days. Additionally, note how frequently it’s backed up—if data is only backed up once a week, that means you could lose a week’s worth of data if an incident occurs—and whether it is backed up in multiple locations.

7) Data security certifications. Check whether your tech provider holds any additional data security certifications to provide further security for your systems or data. Vendors may have this listed on their websites or be able to provide a cybersecurity statement of compliance that includes this information.

One example is Systems and Organization Controls 2 (SOC 2) compliance, which certifies that an organization that handles or stores customer data maintains strict standards for the security of all data and systems. This might include steps like penetration testing—simulating a cyberattack on a computer system to evaluate its security—using an independent third party.

Depending on the platform, a vendor may have certifications specific to its area of expertise. For instance, look for payment processing systems that have the Payment Card Industry Data Security Standard (PCI DSS) certification.

Best Practices for Data Security

It’s tempting to assume it’s the sole responsibility of the technology systems you use to protect your agency’s data. In reality, the highest level of data security requires measures from all parties to protect data in every environment it touches.

Your agency should implement best practices to promote data security, including:

• Using secure and encrypted email services.
• Implementing password and login security best practices for staff.
• Consulting with an IT professional to configure or review your infrastructure security.
• Providing data security and phishing training for staff.

It requires an investment of time, money and effort for agencies to choose security-minded technology providers and implement additional measures at their agency to keep data secure—but the cost of leaving yourself vulnerable to devastating cyber threats is far greater.

Rachel Stauffer is content manager at HawkSoft.