Skip Ribbon Commands
Skip to main content



 ‭(Hidden)‬ Catalog-Item Reuse

Do the WORM: A Guide to Protecting Your Agency's Files

Write Once, Read Many (WORM) refers to a format of saving digital files in a way that makes them non-rewritable and non-erasable.
Sponsored by
do the worm: a guide to protecting your agency's files

One of the first priorities of any insurance agent is to ensure that client information is safe from threats both inside and out. Clients trust you to keep their vital data safe, as well as to keep an accurate account of their history with you. This isn't just for their sake, but to keep your agency in compliance with several federal and state regulations.

Compliance is multi-faceted and record-keeping is a major part. State insurance regulators enforce compliance among companies regarding industry-specific concerns, while several other laws work to make sure financial and health information is being correctly handled.

Staying compliant involves careful categorization of files and foresight into where exactly they will be stored. Security precautions need to be taken, whether your records are physical or digital. Auditors scrutinize every aspect of your filing system, and your records need to be readily available to be audited with additional documentation available that details the history of certain documents.

However, a major cause of auditing violations is human error, both for physical and digital records. Accidental erasures or the misfiling of outdated document versions will raise questions about the integrity of your records, opening a can of worms that will lead to closer inspections and potentially more penalties.

When it comes to digital records and preventing human error, it's best to automate wherever possible and set up policies to ensure records are indelible and accessible.

What Is WORM?

Write Once, Read Many refers to a format of saving digital files to writable media in a way that makes them non-rewritable and non-erasable. It essentially sets a record in stone, leaving it impervious to tampering—once it's created, it can't be changed or deleted.

U.S. Securities and Exchange Commission Rule 17a-4 dictates that WORM-compliant storage means that once a file is stored, it cannot be altered or deleted. Yet, it must be accessible to be read as needed. Regulations can also stipulate how long it must remain in an unalterable state. For records stored in electronic media such as optical disks, hard drives or cloud storage, the electronic storage media must:

  • Preserve the records exclusively in a non-rewritable, non-erasable format.
  • Automatically verify the quality and accuracy of the storage media recording process.
  • Serialize the original and, if applicable, duplicate units of storage media, and time-date for the required period of retention for the information placed on such electronic storage media.
  • Have the capacity to readily download indexes and records preserved on the electronic storage media to any medium acceptable under paragraph (f) as required by the SEC or the self-regulatory organizations of which the member, broker or dealer is a member.

WORM is essential for entities that need to stay compliant with SEC, Financial Industry Regulatory Authority, and Commodity Futures Trading Commission rules. Basically, it's for any organization that needs to prove in an auditing situation that certain, protected records have not been altered, deleted or tampered with.

Of course, that's only half of what WORM is for. This data also needs to be quickly accessible at all times but only to authorized people, so a strong permissions and access control system must also be put in place.

For internal security purposes, group-based permissions allow certain documents to be accessible only to authorized users. As an administrator, you decide who sees what. These are just a handful of security features that document management can contain to make your data more secure.

Many security breaches occur because a user's password isn't complex enough, so you should also require users to create a password that has a minimum amount of characters and includes both upper and lower case letters, numbers and special characters. You can also set how frequently users must reset their password.


While commonly used in the financial and securities sector for broker-dealer records, WORM is a great rule of thumb for insurance agencies to employ on digital documents.

It's not necessarily required for all compliance standards but is a best practice for insurance agents who want to protect the integrity of their clients' data and safeguard it from threats, whether external or internal.

The National Association of Insurance Commissioners' Second Principle for Effective Cybersecurity reads: “Confidential and/or personally identifiable consumer information data that is collected, stored and transferred inside or outside of an insurer's, insurance producers or other regulated entity's network should be appropriately safeguarded."

WORM can be one of your best tools to prove to both clients and regulators that your records are secure and indelible. It acts not only as protection for your clients but for your business as well.

This is important for agencies that frequently use e-signature tools to get contracts, claims and other documents signed by clients. Ensuring that a signed contract is indelible, especially in a digital format, means its legitimacy cannot be debated.

WORM is essential for agents who deal with securities products, such as variable annuity contracts and variable life insurance policies, or who must comply with Health Insurance Portability and Accountability Act of 1996 digital security standards.

This leads to the question of retention. You need to know exactly how long a specific record needs to be kept. Different types of records need to be retained for different amounts of time. However, businesses often don't want to keep records around any longer than necessary. Even if the record is past its retention date, if a business is subpoenaed for the record they may be required to retrieve and present it.

Being unable to produce a specific record can sometimes be a red flag for the overall document storage process. Businesses face hefty fines and other penalties from FINRA, SEC or state insurance regulators if it's a widespread problem with their records.

Do the WORM

So, your files are digital, or you've recently converted your documents into digital files. How do you ensure they're kept in a WORM format?

In the early days of digital files, the best and easiest way to store them in a WORM-compliant format was on non-rewritable optical discs like CDs and DVDs. Once saved, they couldn't be overwritten and were permanently saved. Of course, these discs need to be physically secured in a safe location to stay non-erasable.

Now, businesses are embracing digital but don't typically work with these physical storage devices. With the prevalence of cloud storage, digital files are secure and backed up. Advanced document management systems allow you to determine the governance over documents. These controls allow retention policies to be enabled to individual files or groups of files. For instance, once a governance policy has been applied to a specific location, all files stored there are subject to the policy.

Here's an example. A company following SEC rules must retain an unalterable file for six years. A retention policy can lock edits for six years from the time that the file is stored in that location. After the retention requirement is met, the system can allow the file to be altered if desired. It can also be set to notify a specified user after the time has expired or automatically purge the file from the system.

Compliance standards require agents to have a clear audit trail of when documents were edited, what was changed and who changed them. An audit trail for all your digital records not only protects you in the event of an audit but makes the process go faster.

How do you ensure the indelibility of essential documents but still view a record of how and when it came to be, who created it and view an archive of older versions?

Before a document is saved in a WORM format, older versions can be accessed and recovered to prevent any errors or omissions. Versioning saves all versions of a file, so users never have to think about it. They simply open what they need, make the changes they need and save it.

If an administrator or auditor needs to access the original file, they'll have access to every single version of it. A file's many versions should be included in WORM-compliant format to keep that concise trail.

This is a fundamental aspect of how to legitimize digital records and how they can create greater compliance than paper records. Digital records afford agents a more efficient way to organize paperwork but also require new methods of protecting those records.

As more of the insurance industry shifts to digital methods of completing work and storing documents with protected information, it's time that agents appreciate the proper way of doing it. Files can't be haphazardly saved to a folder on your desktop. Digital security should be at the forefront of an agency's priorities. 

WORM isn't just a compliance term—it should be a mantra for all agents that take digital security seriously. It's a method for protecting against human error, staying organized and keeping your archive of records compliant.

Andreas Rivera, a technology writer with experience in both reviewing and marketing tech services and products, is the marketing content writer for eFileCabinet. His areas of expertise include writing about business to business, software as a service companies and how they best address the pain points of businesses, and how document management software helps businesses reinvent their manual processes and spur growth.

Friday, March 5, 2021
Agency Operations & Best Practices