The client has experienced sustained growth and expects to double the number policyholders by the end of this decade. Insurance companies collect a large amount of sensitive information about their policyholders. Being a national insurer and annuities company, they are subject to numerous privacy regulations at the state and federal levels, with more regulations expected in the coming years. Capco created a scalable, adaptable Data Loss Prevention (DLP) program that secures the sensitive data of the client’s policyholders as well as the business to both prevent data breaches and achieve regulatory compliance.


The client has grown rapidly within the past decade and expects to double the number of policyholders by the end of this decade. They also expect to contend with new regulations in the insurance industry, such as the 2023 NYDFS Cybersecurity amendment.


  • Capco engaged with the client in a four-phase approach:
    • Data discovery and governance review
      • Reviewed artifacts and interviewed stakeholders to develop an overview of the data estate so that a proper scope and requirements could be captured pertaining to DLP.
      • Reviewed artifacts and interviewed stakeholders to understand policies and processes that have DLP implications.
    • Protective controls gap analysis
      • Used the NIST Cybersecurity Framework to perform a security controls assessment focusing on DLP impacts to create gap assessment.
    • Data loss risk assessment
      • Reviewed artifacts and interviewed stakeholders to determine present data loss risks to the organizations and present data loss indicators.
      • Presented a perspective on future data loss indicators available once potential solutions are implemented.
    • DLP strategy creation
      • Created a data loss prevention strategy and implementation roadmap inclusive of information and insights gathered through previous phases.
      • Our recommended strategy calls for the development of foundational policies process, leveraging current tooling to develop quick data visibility and address security control gaps, and the development of future DLP capabilities through the integration of new solutions.
  • There were two major challenges in the project:
    • At the outset, the client was unsure of the required scope of the project. The Capco team was able to create that scope through the extensive artifact review and stakeholder interview processes during phase 1 of the project.
    • The second major challenge was the aged and diverse nature of the data ecosystem. The client has legacy systems dating back to the 1970s. Creating a set of solutions that work together to address the needs of both legacy and modern platforms was overcome through a mix of strategy and tooling selection.
  • Capco worked with the CISO, the Information Security team, IT Governance, Risk & Compliance, Data Governance, Data Architecture, Data Infrastructure team, and numerous IT application team leads.


  • Immediate benefits: A full DLP strategy with step-by-step recommendations including a timeline of DLP initiatives prioritized by impact, staff resource requirements, and technology recommendations. 
  • Long-term benefits: The DLP program is designed to grow and mature over time in a way that aligns with the white-glove approach preferred by the client. The successful implementation of the DLP program will strengthen data security across the organization and meet key regulatory requirements.
  • The financial benefits of a DLP program are expressed as the avoidance of other costs:
    • Data breaches result in fines
    • The remediation of data breaches often involves engaging costly cybersecurity consultants
    • The financial impacts of reputational damage and lost business
  • Artifacts produced by Capco:
    • Phase 1: Data Governance and Process Review, Preliminary Data Inventory, Sensitive Data Observations Report
    • Phase 2: Cybersecurity Framework, Data Loss Prevention, Gap Analysis
    • Phase 3: Data Loss Risk Report
    • Phase 4: Data Loss Prevention Strategy
  • Capco completed the necessary review, analysis, workshops, and delivered six high-quality deliverables to build an enterprise-wide DLP strategy that received positive feedback from the entire client team.