Overview
At Kinsale, data security and privacy are more important than ever. We employ a multifaceted approach using administrative and technical safeguards to protect our digital assets. We design data protection strategies to monitor security threats, as well as clear protocols to respond to them.
Policy & Governance
Our goal is to provide a disciplined approach to safeguarding our digital assets, and that starts with a comprehensive set of security policies and standards designed to protect the confidentiality, integrity, availability, and privacy of our information systems and data. Our policies, standards, and practices leverage commonly accepted information security frameworks, including those from the National Institute of Standards and Technology (NIST) and the Center for Internet Security (CIS).
The Audit Committee of the Board of Directors and senior management discuss information security matters throughout the year, with a focus on risks to Kinsale and risk mitigation plans.
Training & Awareness
All Kinsale employees and contractors receive training on our privacy and information security policies during onboarding and again as part of our annual policy certification process. We provide regular targeted security awareness training on topics such as, but not limited to, phishing, password protection, and social engineering. We educate our employees through several methods, including computer-based training, security materials and presentations, email publications, and various simulation exercises.
All employees must acknowledge and agree to comply with our Code of Business Conduct and Ethics and Acceptable Use Policy. We require all employees and contractors to treat information about employees, insureds, and claimants as confidential and access the information only for designated business purposes. Our Code of Business Conduct and Ethics governs our operations and helps ensure company data is not inappropriately shared or altered.
Security Tools
Kinsale uses information security tools designed to protect information and systems, including encryption, firewalls, backups, intrusion detection and prevention systems, patch management, vulnerability and penetration testing, and identity management systems. Our Information Security Team monitors these tools to discover anomalous and suspicious patterns and is prepared to respond in a timely manner. Kinsale’s systems are monitored around the clock, every day of the year.
Kinsale leverages qualified third parties to conduct penetration tests no less than annually. Findings from these tests are risk assessed and remediated as necessary.
Kinsale’s Security Incident Response process consists of a set of coordinated procedures and tasks that our Incident Response Team executes to ensure the timely and accurate resolution of computer security incidents. To ensure that the framework functions efficiently, we routinely conduct tabletop testing exercises using risk analysis to select which components of the plan to test.
Compliance
Our data security and privacy protocols include regular compliance assessments of our policies and standards and applicable state and federal statutes and regulations. We use security monitoring utilities and internal and external audits to validate compliance with our internal data security controls.