MorganAsh has invested significantly in privacy and security, right from the formation of the business. Security is built into everything we do, giving customers the assurance that any data held by us is always safe, accessed only when needed, and destroyed when they are no longer required. MorganAsh is an ISO 27001-certified company, certificate 215374 – this is an international standard for managing information security. MorganAsh is a Cyber Essentials Plus-certified company, certificate IASME-CEP-003810 – this is the highest level of certification offered under the Cyber Essentials scheme.
We believe that the way to ensure the highest level of security is to develop and manage our own systems from the ground up. We have an in-house development team, entirely responsible for creating, deploying, managing and monitoring all of our bespoke systems. All client data is kept secure on those systems using 128-bit SSL encryption (the same method as used by most online banking applications).
To handle sensitive information securely, MorganAsh works within robust, defined business processes across all aspects of its operation. We commit data to paper only when it is required and then only for a defined duration, after which it is securely destroyed. All data systems are secure with access granted only to those who need it, at the point of need. Any data sharing with our clients is undertaken within agreed, predefined processes, giving them access only to what they require and always working within FCA guidelines.
All MorganAsh team members are trained to work with client data in a responsible, legal and respectful way. All interviews are arranged by trained team members, who only have access to the information required to schedule interviews. Interviews themselves are handled entirely by qualified healthcare professionals – typically senior nurses – who are used to, and trained to, handle confidential information in a sensitive and private manner. Team members only have access to the specific information required to undertake their role.
Data use and storage
MorganAsh adheres to all relevant data regulations. In the EU, this is the General Data Protection Regulation (GDPR). We are typically contracted by an insurance company, broker, financial adviser, company, pension trustees or similar organisation. In most cases they are the Data Controller and we are the Data Processor, as defined within GDPR. In all cases the medical data is shared only with those people who need to see it; usually this is the medical underwriters or the claims managers within the client insurance company. Those people not associated with these tasks do not have access to data.
We and our customers do go to great lengths to limit data access to those who need to see it in order to perform their role or execute their business. Interview recordings are used for quality purposes; we routinely listen to recordings to check the quality of our own work – or if there is a complaint. This is in everyone’s interest. We store the medical data, and the recordings, in line with our customers’ requirements – in many cases this will be for the length of the policy or contract.
Responding to an attack
In March 2020, MorganAsh was subject to an attempted ransomware attack. The attack failed to breach any operational systems, no consumer data was breached, no consumer data was lost and no ransom paid. The attack did manage to access the development and test environments; this caused some disruption and, prudently, MorganAsh ceased operations for three days while the issue was fully addressed and rigorously tested. MorganAsh informed the FCA. There was no requirement to inform the ICO because no breach had occurred. MorganAsh has since passed audits for ISO 27001 and Cyber Essential Plus. A report by SecurityScorecard shows MorganAsh as a clear leader in security within the industry (view report).
FCA, legal and compliance information
We are registered with the Financial Conduct Authority (FCA) in the UK, number 451227, and operate in other European countries. Further details can be found on the FCA website. MorganAsh Limited is registered in the UK, company number 04955931 – our registered office address is: 7 Whitworth Court, Manor Farm Road, Manor Park, Runcorn, Cheshire WA7 1WA United Kingdom.