As cyber threats evolve, the regulatory environment is also changing rapidly. In the face of a cyberattack, agents and brokers are presented with a double-edged sword: business interruption costs and reputation loss associated with an attack on one side, and the regulatory requirements—whether an attack has occurred or not—on the other.
Handling sensitive information is now one of the most critical responsibilities faced by the modern insurance agency. Independent agents and brokers must properly collect and protect sensitive client information, which means complying with state and federal regulations, as well as adhering to customer service best practice standards and compliance with data privacy laws mandated in all agency and company contracts.
Further, every state now has data breach response laws, and in the future, each state's regulations may vary based on their insurance department's interpretations. The Gramm-Leach-Bliley Act (GLBA) covers all other models and state laws, including the New York Department of Financial Services (NY DFS) and the new National Association of Insurance Commissioners (NAIC) Model, which several states have already adopted and many others are reviewing.
The penalties for non-compliance are fierce. Financial institutions found to have violated regulations can be struck with fines up to $100,000 per violation. Directors and officers of financial institutions may be personally liable for a civil penalty of up to $10,000 per violation.
Here is a 12-step compliance and protection roadmap designed to help agencies meet cybersecurity regulatory requirements:
1) Risk Assessment
A risk assessment is the identification of hazards that could negatively impact an organization's ability to conduct business. These assessments help identify inherent business risks and provide measures, processes and controls to reduce the impact of these risks to business operations. The assessment should include a risk mitigation checklist.
For help understanding hardware and software and how to count, configure, control and patch technology systems, review the “Cyber Hygiene" toolkits created by the Center for Internet Security (CIS) and adjusted using input from ACT's Security Issues workgroup. StaySafeOnline.org and NextGen Data Security also provide useful resources for how to stay safe online.
2) Written Security Policy
A security policy is a document that states in writing how a company plans to protect its physical and information technology (IT) assets. It can also be referred to as a “written information security policy" or WISP.
The document must detail your agency's operations for security, governance, inventories, controls, continuity, disaster planning and systems monitoring. This includes internal and external mitigation policies. There are numerous resources that can help agencies create their policy, including ACT's Cybersecurity Policy Template, the Federal Communication Commission's Cyber Security Planning Guide and Information Shield's policy template library of over 1,600 pre-written information security policies covering over 200 security topics.
3) Incident Response Plan
A key part of your written security policy is an incident response plan. This is an organized approach to addressing and managing the aftermath of a security breach or attack, also known as an incident.
The goal is to handle the situation in a way that limits damage and reduces recovery time and costs while complying with federal and state regulations. This includes communication and notices to the state superintendent upon detection of a cybersecurity event and communication to customers, insurers and third-party service providers. Notification requirements vary by state.
4) Staff Training and Monitoring
This is a critical regulation. Even if all other areas comply, one misstep by agency personnel can expose data due to malware, phishing and other incursions. ACT strongly recommends that all businesses regardless of size train their staff on online security risks.
Training topics include how to detect phishing and social engineering threats, dealing with the changes made in the workplace, and general vulnerabilities and threats to business operations. Resources from PhishMe, KnowBe4, Curricula, Junglemap and Sophos can help train all agency staff on how to identify threats.
5) Penetration Testing and Vulnerability Assessment
Penetration Testing—also called Pen Testing—is the annual practice of testing a computer system, network or web application to find vulnerabilities that an attacker could exploit. This should be done internally and externally. External tests aren't usually free but are a vital part of making sure your company remains airtight and are well worth the expenditure.
A vulnerability assessment is a biannual process that defines, identifies and classifies the security holes and vulnerabilities in a computer, network or communications infrastructure. A solid penetration test plan involves setting clear scope of the tests, such as identifying all records and databases to be tested, then trying to purposely exploit those data sources, and of course, going through analysis and improvement recommendations. This is best handled by experienced providers who identify potential issues on both a low and extreme scale.
6) Access Control Protocol
This responds to regulations requiring restricted access to non-public information, including PII (personally identifiable information), PHI (protected health information), and PCI (payment card industry data security standards). This is a key area of data security, and although the term sounds complex, it's all about authenticating your users and authorizing them to access only the information they need to carry out their roles in your company. A key part of this is developing a policy that addresses the newer hybrid environments where data moves from on-premises servers to homes and cars when using wi-fi hot spots and personal routers.
7) Written Security Policy for Third-Party Service Providers
This is a written policy outlining procedures designed to ensure the security of information systems and nonpublic information that are accessible to, or held by, third-party service providers. The NAIC refers to this as an information security program.
While the cyber threats connected to third-party vendors or service providers to your business are very much real, the regulation around how businesses must approach this risk is still very much evolving.
8) Encryption of Non-Public Information
Encryption is the process of encoding a message so that it can be read only by the sender and the intended recipient. Non-public information refers to all electronic information that is not publicly available and for insurance purposes refer to PII, PHI and PCI.
Regulation describes the need to encrypt and protect this data when in storage and when transferred between the insurance agency and its policyholders, such as via email. There is an exemption to this regulation. However, it requires a waiver request to be submitted annually, depending on your state.
One method for email encryption is TLS (Transport Layer Security). For more information on how to encrypt your emails check out ACT's “E-mail Encryption via TLS FAQs" or ask your carriers whether they support it.
9) Designation of Chief Information Officer
This is the title required by the New York State Department of Financial Services (NY DFS) for some agencies doing business in New York; nationally, this role can be viewed as data security coordinator. If required to do so, the chief information officer (CIO), sometimes referred to as the chief information security officer (CISO), covers a broad set of responsibilities for an agency—providing an annual report on the overall agency cybersecurity program and plan, as well as continually reviewing reasonable actions on the agency's overall future planning.
The CIO should be someone well acquainted with the technology and IT aspects of the business—note that this position can also be an affiliate or third-party service provider.
10) Audit Trail
An audit trail, also referred to as an audit log, is an electronic trail that provides a step-by-step documented history of a transaction. It enables an examiner to trace the financial data from general ledger to the source document, such as an invoice, receipt or voucher. The presence of a reliable and easy-to-follow audit trail is an indicator of good internal controls instituted by a firm and forms the basis of objectivity.
For agencies, using your agency management system with all other interfacing systems provides a solid foundation for an audit trail. The National Institute of Standards and Technology offers assistance on properly creating audit trails.
11) Implementing Multi-Factor Authentication
Multifactor authentication (MFA) is a security system that requires more than one method of authentication from different categories of credentials to verify the user's identity for a login or other transaction.
One example is a policyholder logging into an agency website and being requested to enter an additional one-time password (OTP) that the website's authentication server sends to the policyholder's phone or email address.
12) Procedure for Disposal of Non-Public Information
As with encryption, this regulation refers to all electronic information that is not publicly available, including PII, PHI and PCI. Improper document destruction is often a downfall of small business security.
Regulations on this vary by state. Agents doing business in multiple states should adhere to the highest level of requirements. Keep in mind, there is a difference between complete disposal of information and simple deletion. Learn how the disposal rule applies to PII collected by businesses and government that is stored in various formats, digital and paper via the National Council of State Legislatures online.
Ron Berg is executive director of the Agents Council for Technology (ACT). This article is adapted from ACT's Cyber Guide 3.0.