Hippo Insurance Services Streamlines User Access Reviews with Identity Governance

Summary

In the dynamic and heavily regulated world of property insurance, companies are constantly seeking innovative ways to streamline operations and enhance security measures. One such company, San Jose-based Hippo Holdings, grappled with effectively managing user access reviews (UARs) across their proliferating SaaS and cloud applications. Operating within a regulated framework and handling sensitive financial information daily, Hippo needed to change its process to efficiently accommodate the company’s rapid growth. With the help of CyberArk solutions, the InfoSec team at Hippo was able to automate over 90% of the access review tasks, thereby reducing the heavy lift of producing compliance and governance reports.

Company profile

Hippo protects the joy of homeownership, helping to safeguard customers’ most important financial assets by harnessing the power of real-time data, smart home technology, and a growing suite of home services to deliver proactive home protection. Hippo Holdings Inc.’s (NYSE: HIPO) operating subsidiaries include Hippo Insurance Services, Hippo Home Care, Spinnaker Insurance Company, Spinnaker Specialty Insurance Company, and Mainsail Insurance Company. Hippo Insurance Services is a licensed property casualty insurance agent with products underwritten by various affiliated and unaffiliated insurance companies. Coverage is subject to underwriting qualification and may not be available in all jurisdictions.

Challenges

Hippo Holdings operates in a highly regulated industry, where user access reviews (UARs) are not a choice but a necessity, mandated by SOX 404(b) compliance requirements by the SEC. This mandate was complicated by the company’s use of dozens of SaaS and cloud applications hosted across various platforms, which held sensitive financial information crucial to the company’s operation. These applications were subject to quarterly compliance certifications by external auditors, which included UARs.

As the organization expanded, applications requiring UARs multiplied. With this increase in applications and users, the company searched for efficient solutions. The company faced three major challenges:

• Access reviews took up to two weeks to complete, and were a team effort, with members from InfoSec, HR, and legal departments contributing their time to the process.
• The preparation of audit materials was completely manual and involved checking access rights, cross-referencing with job roles, validating any changes, and verifying compliance with internal policies and external regulations.
• Each application had a different review process and, at times, unique challenges, further complicating the process.

It was evident that a more streamlined, efficient, and secure solution was needed – one that could effectively automate user access review processes and help ensure consistent compliance.

“By eliminating the manual aspects of user access review, the team could process reviews more accurately and in less time. The process that used to take two weeks per application was reduced to just two days. This boost in productivity ultimately enhanced the team’s contribution to the organization’s overall security and compliance goals,” noted Tal Hornstein, CIO and CISO at Hippo Holdings.

Solutions

As Hippo sought to transform its user access review processes, the main objectives of the InfoSec team were:

• Accelerate the review process: Hippo wanted a system that could speed up these reviews significantly, ensuring faster responses and quicker remediation actions.
• Optimize resource utilization: The company was also keen to efficiently use the time of their highly skilled InfoSec personnel. In doing these time-intensive tasks, they were prevented from focusing on more strategic and higher-value initiatives. By automating this process, they aimed to liberate these valuable resources to allow them to contribute more to the organization’s security posture.The organization knew that achieving these objectives would require a shift in its approach to user access reviews. This realization led them to embark on a search for a solution that could bring about the desired change. It was in this context that they discovered CyberArk’s modern IGA solution.

The company was drawn to CyberArk’s automation and access review workflow capabilities. They acknowledged that CyberArk could not only streamline and automate their user access review processes but also offer customized workflows to fit their unique organizational needs. This was crucial in addressing the specific pain points and inefficiencies they were experiencing.

The solution’s ability to adapt to the company’s existing structure, in combination with advanced technology, distinguished it from other market options. The company was particularly impressed by the solution’s unique ability to gather data from applications that didn’t support APIs or other user management capabilities.

Results

With the CyberArk solution, over 90% of the previously manual tasks became automated. The new UAR process begins with automated data collection from all the relevant SaaS and cloud applications and is followed by automated mapping of the collected data. This mapping allows for an efficient, automated review, reducing the required time and resources.

CyberArk’s solution delivers comprehensive reporting, giving the InfoSec team insights into user access across the organization. This level of insight not only helps the team monitor and manage access effectively, but also assists with compliance and governance requirements, and facilitates the generation of the necessary documentation for external auditors.

With the efficiency created by this process, the InfoSec team and their stakeholders have more time now to focus on other tasks. The process that used to take two weeks per application was reduced to just two days, and most of the certifications could now be completed by two members of the InfoSec team. Adding more applications to the review was no longer a pain point and did not slow down the team or add extra time to the quarterly audit readiness process.

“With CyberArk’s help, over 90% of our access review tasks became automated. The tedious task of manual information collection, which was previously time-consuming and resource-intensive, became a streamlined, predictable process.”

– Tal Hornstein, CIO & CISO, Hippo Holdings

Additional benefits included:

• Enhanced AWS user management: With the CyberArk solution’s cloud-specific features, managing user access in their AWS environment became more efficient. The InfoSec team could automatically gather and review user access data from AWS, ensuring that access was appropriate and secure. In addition, the team was able to utilize the CyberArk solution’s capabilities to manage user identities and access controls, allowing for secure cloud usage.
• Compliance and governance objectives: A significant accomplishment was the ease with which the company could produce compliance and governance reports. With CyberArk’s comprehensive reporting features, the team is able to generate detailed reports that address the needs of external auditors and satisfy the accuracy and completeness requirements. This capability simplified the company’s audit process, helping to reduce both stress and workload for the InfoSec team.

Key benefits

• Reduced burden on IT team by automating access review processes and improving operational efficiency.
• Enhanced AWS user management that allows the team to manage user identities, access controls, and secure cloud usage.
• Meet SOX 404(b) compliance and governance requirements with comprehensive reporting features.