|   Europe

Ensuring uncompromised information security for a European insurance client

The client is a leading player in the global insurance industry with a widespread presence in 50 countries and has a dynamic workforce of 72,000 employees, collectively serving over 65.9 million customers across the globe. It is one of the world's foremost providers of insurance and asset management services.

Download PDF


Use Case

Information security

What the client achieved

Reskilled 12,000+ employees across 15+ geographies

1000+ unique assessments created across 14 skills in 11 languages

Business challenges

The 190-year-old company fosters a learning culture to encourage employee growth and development across geographically dispersed teams. It regards knowledge and skills upgrade as major cornerstones of change and development. It realized that training interventions are the fulcrum on which the organizational transformation strategies pivot. This realization gravitated the company toward meticulously defined reskilling programs to gain granular insight into areas where it needed to shore up its employees’ skills and competencies.


The company comprehended the need to invest in the employees’ near-term and future skills needs, considering the need to build long-term organizational resilience in a continually evolving marketplace. Therefore, it sought a comprehensive reskilling program to provide at least 50% of its employees worldwide with new business, digital and behavioral skills. The company wanted to assess employee proficiency levels on its specific skills catalog’s parameters. Thus, it desired a reliable technology provider to automate and scale the skills assessment process.


However, the company was sensitive to cybersecurity concerns, as it relied on third-party service providers. The reason is that third-party service providers usually perform or support essential operations and are privy to organizational data, be it customer data or access to internal networks.


Due to the nature of the insurance company’s business, it needed its partner to maintain the highest levels of information security standards. Thus, it expected its partner to demonstrate an unwavering commitment to information security.


The company needed solutions to meet the following requirements:


Enterprise privacy concerns


Data is the most crucial asset for any organization. So, information security was the company’s foremost concern, considering the magnitude of the drive, given the generation of large tracts of data. The company wanted to ensure uncompromising data protection and fail-safe provisions to keep enterprise data safe from theft and leakages before onboarding the right partner.


Trustworthy service provider selection


Due diligence in ascertaining that the provider offers adequate security protocols to prevent data breaches is critical before onboarding a technology partner. Effective data security involves safeguarding various datasets and fulfilling regulatory compliance requirements. Thus, the client was also skeptical a data breach could seriously dent the corporation’s reputation.


Assessing information security preparedness and resilience


The company had defined some critical parameters within which it wanted to assess a service partner’s cybersecurity preparedness and resilience. These parameters were:

  • The partner needed to ensure that its established security protocols were highly effective, such as System and Organization Controls (SOC) report, the last independent penetration and vulnerability assessment report. Besides, the partner needed to strictly adhere to a regulatory body (I.e., GDPR, ISO/ICE 27001, etc.)
  • The partner needed to provide contracted services even in unforeseen circumstances, such as disaster recovery and business continuity plans.
  • The partner needed to demonstrate it possessed a robust incident management program and would rightfully report incidents as mandated by law, regulations and industry practices.

Reputational risks inherent in security incidents


The company was also well-versed with the reputational risks of an information security breach or hack. It was aware that a publicized, high-profile data breach or hack could permanently damage the reputation of any organization, be it large or small. Additionally, logistical and financial consequences could be equally profound. That is why the organization did not want to miss out on information security.


GDPR compliance


The General Data Protection Regulation (GDPR) is a regulation in the European Union (EU) law on data security and privacy that applies across sectors and organizations of all sizes. Although it was drafted and passed by the EU, it can impose accountability measures on companies anywhere, should they collect or target data concerning EU residents. Since the client was a major Europe-centric company, finding the right service provider that complied with all requirements was critical. The company also wanted localized data storage servers in Europe.


Since many software companies claim to be GDPR Compliant, focusing on the three characteristics mentioned below was crucial for the proper vendor selection:

Privacy by design

Article 28 of the GDPR says that companies should undertake due diligence in selecting service providers, employing only those that meet the parameters laid down by GDPR and safeguard the data subject's rights. A data subject is any person (or entity) whose personal data is collected, controlled or processed by an organization. Personal data is any critical data that can identify an individual, such as name, residential address, card details, etc. A service provider should offer privacy by design comply with GDPR.

Data control

GDPR emphasizes the right to be forgotten, which means that individuals should have more control over their data, necessitating organizations to delete the personal data of individuals upon request- or when it is no longer needed. Therefore, a technology partner needed to adhere to these requirements and present a befitting and sustainable plan to control user data.

Stance on data privacy

The GDPR is all about protecting the personal data of individuals and giving them control over their personal data. Similarly, while selecting a GDPR-compliant service provider, its organizational culture and outlook on data privacy with its stakeholders need to be considered. It is not worth running the risk of onboarding a partner that is not fully committed to ensuring data privacy.

Winning the client’s trust


The company’s unparalleled domain expertise and strategically focused innovation approach make it a leader in the insurance industry. Its L&D’s primary focus was on reskilling employees and making them ready for the future of work. Conducting such a task also required that the partnering service provider adopted the latest technology, stringent policies and extensive protocols to ensure information privacy and data security at every stage of the process.


Mercer | Mettl gained detailed insights into the client’s reskilling strategy and bottlenecks, and deep-dived into charting out a possible course of action. Additionally, Mercer| Mettl’s leading-edge talent assessment software system and industry-leading data privacy and security provisions instilled a sense of confidence in the client. Moreover, Mercer| Mettl’s customized service offerings resonated with the company.


Pleased with the promising potential of Mercer| Mettl’s products and info security arrangements, the company decided to leverage them for streamlining its skills assessment process for reskilling drives across various geographies. As a result, the client’s collaboration with Mercer | Mettl initiated profound deliberations on understanding the project requirements.


Mercer | Mettl consultants worked closely with the client to integrate the skill mapping framework tailored to the client’s needs. It created an advanced analytical dashboard to gain an insight into skills penetration in each geography. The customizable data analytics and reporting dashboard provided readily configurable reports at individual and group levels.


The process of workforce clustering to identify candidates for skill assessment and development followed. Mercer | Mettl’s highly advanced platform and scientifically validated assessments were also configured. Carefully designed assessments by subject matter experts were also finalized to gain the best insights into employees’ functional knowledge and personality traits.


The HR managers identified crucial parameters to assess employees based on their respective domains. Conducting assessments to evaluate them on given parameters enabled HR professionals to get detailed insight about each candidate in terms of the top three skills (strengths) and bottom three skills (areas that need improvement). This way, HR leaders localized the training program accordingly in different geographies. Instead of having standardized training programs, they created customized training programs by understanding the core skills that needed training interventions across the business units in different geographies.


Mercer | Mettl’s stringent policies and extensive protocols to ensure information privacy and data security enabled the client to conduct and scale training needs assessments and create a targeted plan for employees without worrying about digital security. Mercer | Mettl, with its deep-rooted commitment to making training assessments secure, credible and scalable, built a secure ecosystem for the client, ensuring the security of the candidates’ personal data. Data security, assessments’ credibility and robust processes were the three pillars of Mercer | Mettl’s security ecosystem, which was backed by numerous compliance standards.


Listed below are some of the critical information security features embedded within the Mercer | Mettl ecosystem:


Hosting on AWS


Mercer | Mettl data is hosted on Amazon Web Services (AWS) – which is one of the most flexible and secure cloud computing environments available on the market. It uses a wide variety of AWS services for data storage and computation.


Data encryption in transit


Data exchanged between a test-taker and Mercer | Mettl over the network is secured and encrypted to safeguard against any breach. All data exchanged over the network between a test-taker and an invigilator is secured and encrypted via HTTPS (256-bit SSL encryption). Besides, a security protocol of TLS1.2 is enabled to support the secure transmission of HTTP calls.


Data encryption at rest


Databases, where personal information, assessment records and other sensitive details of candidates and clients are gathered, are stored in an uncompromisable maximum security environment. Mercer | Mettl is strictly against bartering and selling any information to outside partners and storing data for personal marketing interests. Moreover, for endpoint access, it offers various authentication combinations to address any vulnerability.


Access right management


Mercer | Mettl platform had set clear guidelines on who can view and access the various system resources, allowing it to track who, when and where accessed the data. It supports creating various roles with defined access rights, log reports and audit trails. In addition, access is allocated with the least privilege rule to avoid any unauthorized data disclosure.


Multi-factor authentication


It ensures only an authorized person is logging into the account, acting as an additional layer of security to the login mechanism. The username and password are prompted for logging in as the primary layer.


General Data Protection Regulation (GDPR) Compliance


Mercer | Mettl is GDPR compliant. Its policies and processes adhere to GDPR principles of data minimization, data subject rights and data management (storage and security, retention, breach management). Such policies and procedures are reviewed, at least annually or when a change is required as per the regulation.


A) Data collection


Mercer | Mettl’s clients may require additional information to be collected from assessment takers, and they define what this information could be. To ensure that assessment takers are made aware of why such information is being collected, there is a provision of configuring and enabling ‘explicit consent,’ which can be obtained from candidates before administering an assessment. Moreover, Mercer | Mettl’s privacy policy clearly states ‘what,’ ‘why,’ and ‘how’ candidate personal data is processed.


B) Data subject rights


Mercer | Mettl has implemented processes to acknowledge and respect data subject rights. A data subject can email at ‘#mettl_privacy_mettl@mercer.com’ and request to exercise data subject rights. Since Mercer | Mettl is a data processor, processing data at the behest of data controllers, the controllers (its clients) determine if the candidate’s data subject right request is valid and actionable.


C) Data management


Mercer | Mettl is a cloud-based SaaS platform hosted on AWS. All the data in transit and at rest is secured using industry-standard mechanisms. Provisions to store data are defined in the contract between the client (the data controller) and Mercer | Mettl (the data processor). The client can choose to have the data deleted from Mercer | Mettl’s cloud-based servers as desired. The client can place a request to remove all data after the termination or expiry of the contract.


ISO 27001:2013 Compliance


Mettl is compliant with ISO 27001:2013. It possesses all the controls related to secure development, access management, encryption and key management. It also deploys AWS CloudWatch to monitor all the controls and changes across an organization. In addition, it also has device-and-network-level threat assessment programs, along with web application penetration testing that is compliant with the vulnerability assessment. Mercer | Mettl is assessed by Certifying Body TUV every year as part of the surveillance program.


ISO 9001:2015 Compliance


ISO9001: ISO 9001 is the world’s most recognized Quality Management System (QMS) standard. Its primary objective is to meet the needs of its customers and other stakeholders more effectively. Mercer | Mettl has built a framework to ensure consistent quality in the provision of goods and services. It has focused on several quality management principles, including a strong customer focus, standard process approach and continual improvement. Using ISO 9001, Mercer | Mettl ensures that customers get good quality products and services consistently.


Virus safety protocols


Mercer| Mettl has adopted top-notch data security and virus protection standards practiced by Mercer and Marsh McLennan (MMC Group). It runs best-in-class Vulnerability Assessment and Penetration Testing (VAPT) programs. The VAPT program deals with ransomware, botnet and other related threats. In addition, Mercer| Mettl runs the most secure authentication processes on all organizational devices, fortified with stringent data safety and antivirus software.


Penetration testing


Mercer | Mettl conducts penetration testing annually. It also runs device-and-network-level threat assessment programs, along with web application penetration testing.


Vulnerability testing


It conducts vulnerability assessment, which is assisted by internal experts and external vendors. Third-party network and application vulnerability tests are undertaken annually. Additionally, it runs tools like WhiteHat daily to discover any application vulnerability.


External and internal auditing


Mercer | Mettl takes external and internal auditing seriously. External Audits are performed by certifying bodies yearly, in line with ISO 27001:2013. Internal reviews are conducted once every six months.


Localized servers


Most importantly, Mercer | Mettl has localized data storage provision in the following countries:

  • Europe
  • India
  • China

The Impact

Mercer | Mettl’s sophisticated suite of assessment tools and purpose-built end-to-end information security arrangements enabled the leading insurance company to identify skills gaps in its workforce and create individual and organizational development plans without concerns about the security and safety of Mercer| Mettl’s data security architecture.

Here are a few highlights:

  • Approximately 2500 assessments were conducted across 25 different skills in 14 languages across 40 different business units.
  • Mercer | Mettl’s comprehensive and data-driven assessment reports offered actionable insights on areas of development for every employee, complete with a comprehensive list of strong and weak areas.
  • Being a global conglomerate, the client works across geographies. It signaled its firm stance on data privacy and security standards before partnering with a trusted ally. Mercer | Mettl has ticked all the boxes and helped the company conduct over 2500 training assessments thus far.

The Way Forward


In the absence of substantial navigational support, the path to reskilling the workforce was paved with unforeseen challenges, keeping the organization from finding its true north. However, given the immense value added by Mercer | Mettl’s intervention in the client’s ambitious reskilling project, the management plans to continue with training needs assessments extensively, helping it create a scientifically validated reskilling plan for its 72,000-strong workforce.

Over 6000 Clients Globally Trust Us with Their Talent Assessment

Mercer | Mettl’s unmatched tools and data security standards empower the biggest brands the world over to assess their workforce.

Is information security your top-of-mind priority?

Mercer | Mettl’s stringent policies and extensive protocols ensure uncompromised information security and data security for its client.

Ensuring uncompromised information security with world-class offerings

Mercer | Mettl is a global leader in platform, proctoring, and talent assessments. Our vast library of customer stories, industry research, and articles can help you understand the space better.

Growth On Your Mind? Ours Too!

The World of HR is a dynamic mix of complex technologies and challenges. We help you navigate the chaos, learn and grow.