Lined Up: Is Your Agency In Compliance with Cyber Regulations?

This puts the burden on agents and brokers to properly collect and protect this information—and that means not only complying with state and federal regulations for cybersecurity, but also adhering to best practice standards for customer service.

Modern technology significantly eases the process of data collection and reduces the time required to write and service policies. But if agents fail to address new tech properly, it can also create risks and exposures that could result in catastrophe.

Federal and state acts such as the Gramm‑Leach‑Bliley Act (GLBA), 23 NYCRR Part 500 from the New York Department of Financial Services (NY DFS) and more aim to protect consumer information [see sidebar]. Although these acts and regulations can be tedious and onerous to address, agents must make compliance a priority.

In cooperation with independent agent distribution entities, the Agents Council for Technology (ACT) created the Agency Cyber Guide 1.0 to assist Big “I” agents and brokers with this mission.

The Cost of Noncompliance

Half of small and midsized business suffered a cyberattack in 2016, according to SecurityIntelligence—and this number will only increase. The U.S. National Cyber Security Alliance reports that 60% of small companies are unable to sustain their businesses six months after a cyberattack. And according to the Ponemon Institute, the average cost of recovery after a small business has been hacked sits at $690,000. For middle‑market companies, it’s over $1 million.

But the costs are not just confined to lost business. Noncompliance with any of these regulations may come with substantial penalties. Like data breach communication requirements, these vary by state, but can be assessed in the form of civil penalties per resident affected and/or per breach, plus additional penalties for actual economic damages. Noncompliance is also punishable by other state‑specific deceptive trade practices laws, or as prescribed by a state attorney general.

Note: The law that applies is not that of the state where the breach occurred, nor the state where the agent is located, but rather the jurisdiction of the person whose data was breached. Regulations also require specific timelines for response, and may render penalties for each day of failure to provide notice of a breach.

Bottom line: Noncompliance and lack of action can cost your business dearly.

Regulation 101

Note that all regulations listed here are critical for complying with GLBA, which also covers other emerging regulations such as that of the NY DFS. These are considered best practices for agency cybersecurity. Agencies that do business in New York may apply for an exemption under the NY DFS 23 CRR 500 Act for some of the regulations, but GLBA still applies. Visit the NY DFS online at dfs.ny.gov for details.

For links to various resources that can help you comply with each regulation listed here, download the full Agency Cyber Guide 1.0.

1) Risk assessment: the identification of hazards that could negatively impact an organization’s ability to conduct business. These assessments help identify inherent business risks, and provide measures, processes and controls to reduce the impact of these risks to business operations. Your assessment should include a risk mitigation checklist.

2) Written information security policy: a document that states how a company plans to protect its physical and IT assets. The document must detail your agency’s internal and external mitigation policies for security, governance, inventories, controls, continuity and disaster planning, and systems monitoring.

ACT offers a free downloadable written security policy for independent agents.

3) Incident response plan: an organized approach to addressing and managing the aftermath of a security breach or attack. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs, while complying with federal and state regulations.

This includes communicating with the state superintendent, customers, insurers and third‑party service providers upon detecting a cybersecurity event. The incident response plan should be part of your overall written information security policy.

4) Staff training and monitoring: Even if all other areas are compliant, one misstep by agency personnel can expose data. ACT strongly recommends that all businesses—regardless of size—comply with this regulation.

5) Penetration testing and vulnerability assessment: Penetration testing refers to the annual testing of computer systems, networks or web applications to uncover vulnerabilities an attacker could exploit. Do this internally and externally.

A vulnerability assessment is a biannual process that defines, identifies and classifies the security holes in computers, networks or communications infrastructures.

6) Access control protocol: responds to regulations that require restricted access to nonpublic information, including personally identifiable information (PII), personal health information (PHI) and payment card information (PCI).

7) Written security policy for third‑party service providers: written policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third‑party service providers. Note: The National Association of Insurance Commissioners refers to this an “information security program.”

This is an evolving issue, with regulatory guidance to come. For the NY DFS regulations, these elements do not take effect until March 1, 2019.

8) Encryption of nonpublic information: Encryption is the process of encoding a message so only the sender and the intended recipient can read it.

Nonpublic information refers to all electronic information that is not publicly available. For insurance purposes, this refers to PII, PHI and PCI. This regulation describes the need to encrypt and protect this data both in storage and transit.

There is an exemption for this requirement, but you must submit a waiver request annually.

9) Designation of chief information officer: title the NY DFS requires for some agencies that do business in New York. Nationally, the role can be “data security coordinator.”

10) Audit trail: an electronic trail that provides a step‑by‑step documented history of a transaction. It enables an examiner to trace the financial data from general ledger to source document, such as invoice, receipt or voucher. A reliable audit trail is an indicator of good internal controls and forms the basis of objectivity.

Using your agency management system with all other interfacing systems generally provides a solid foundation for an audit trail.

11) Implementing multifactor authentication: a security system that requires more than one method of authentication from different categories of credentials to verify a user’s identity for login or another transaction.

For example, a policyholder logs in to an agency’s website and must enter an additional one‑time password that the website’s authentication server sends to the policyholder’s phone or email address.

12) Procedure for disposal of non‑public information: refers to all electronic information that is not publicly available, including PII, PHI and PCI. Improper document destruction is often a downfall of small business security.

Regulations vary by state. Agents who do business in multiple states should adhere to the highest level of requirements.

Keep in mind: There’s a difference between complete disposal and simple deletion. Contact your agency management system provider for their disposal protocol.

This article is adapted from ACT’s Agency Cyber Guide 1.0.