With no clear overarching federal guidance to date, and a national patchwork of inconsistent rules and regulations, cybersecurity can seem both daunting and confusing. Business managers who have not yet faced a significant cyber incident, such as a sensitive data breach, may feel like they can put things off and worry about cybersecurity later.

Unfortunately, that decision can prove costly for an agency, broker or even a major insurance company.

Over the past few years, cyberattacks against small and medium businesses have skyrocketed, particularly in the insurance industry. The COVID-19 pandemic has only accelerated that trend. Cyber regulations have become more widespread too—meaning that implementing and maintaining a robust and compliant cybersecurity program at your business cannot be placed on the back burner.

As Ben Franklin once wrote regarding fire-fighting techniques, “an ounce of prevention is worth a pound of cure."

Here are six essential steps the Big “I" encourages members to take promptly, if they have not already done so:

1) Develop and maintain a comprehensive written cybersecurity policy. A written cybersecurity policy is perhaps the most fundamental step for any company's cybersecurity program because it reflects and guides the company's actual security policies and procedures. It is not just good practice—it may also be required of your business by the federal Gramm-Leach-Bliley Act, state data security laws and/or contractual provisions in carrier agreements.

If you are not sure where to start, the Agents Council for Technology (ACT) Security Issues work group, in conjunction with Big “I" National and Big “I" New York, developed a sample template of a written cybersecurity policy for members. The sample can be tailored to your practices and is available as part of ACT's Agency Cyber Guide 3.0.

2) Obtain cyber insurance coverage. Cyber coverage has virtually become table stakes for operating in today's business environment. While some agency appointment agreements even require minimum levels of coverage, there are other practical benefits to an agency obtaining coverage.

Cyber coverage may not only help mitigate the impact of an incident, but cyber risk solutions, such as those offered by Coalition, an industry leading cyber insurer and Big “I" Markets partner, can help prevent incidents before they happen.

Coalition's automated risk assessments identify potential security weaknesses and offer actionable recommendations to improve your agency's security posture. Coalition's ongoing threat and vulnerability monitoring keeps policyholders informed of third-party data breaches, vendor vulnerability notices, malware, infections, and more. A vulnerability disclosure program is a process allowing security researchers to report security flaws directly to your organization. This service is also free to Coalition policyholders through HackerOne and can help members stay ahead of the curve on cybersecurity.

If you would like to learn more, visit the Big “I" cyber webpage or reach out to Carla McGee, Big “I" Markets cyber program manager, with any questions.

3) Update your company's systems and defenses. It is said that “you don't have to be faster than the bear; you just have to run faster than the person next to you." The same can prove true for cybersecurity. Even if you lack the most expensive and sophisticated cybersecurity tools, you need to make sure you are keeping up with the rest of the pack.

Some important precautions to take include updating your computer software, ensuring that your systems have anti-virus and firewalls installed, and using strong passwords and device encryption. Agents should also consider other defenses that are becoming increasingly common, such as multi-factor authentication (MFA).

For more on technical security tools, please see Coalition's 2021 Cybersecurity Guide, which offers detailed recommendations for implementing MFA, secure emails, effective password management, and more. 

For a shorter read, check out Big “I" Markets' 7 Tips for Securing Your Agency Against Cyber Threats, available after completing a contact information form; and ACT's Summary of Antivirus and Anti-Malware Software for Agencies. 

4) Provide education and review protocols for employees and their devices. “All the firewalls, operating system patches, and defenses are still insufficient if your agency staff is not properly trained on security protocol. One errant click can leave your data vulnerable, as well as that of your customers," says Ron Berg, ACT executive director.

Periodic and consistent employee cybersecurity training is not only good practice, but also may be expressly required under certain laws such as the New York Department of Financial Services (NY DFS) Cybersecurity Regulations.

Additional resources on cybersecurity education and training include Agency Security Education & Training, and the Security Awareness Training available to Coalition policyholders.

In addition to regular training and testing, agencies should also pay particular attention to policies and protocols relating to employee devices, especially if employees are to “bring your own device" (BYOD) for work activities. The COVID-19 pandemic also means that many employees are working remotely from home, which poses additional security vulnerabilities. Visit the ACT website for more on the opportunities and risks associated with BYOD and work from home.

5) Consider third-party service providers as sources of help and risk. There are many reputable cybersecurity service providers who may be able to assist your agency. As noted above, Coalition policyholders have access to a number of helpful tools to improve their agency's security.

Conversely, some of the largest data breaches have occurred due to a third-party service provider with weak cybersecurity. The 2013 Target data breach occurred due to hackers breaking into the retail store's systems through a connection with its HVAC company. Similar breaches through third-party systems continue to occur with increasing frequency.

Learn more on this issue and a matrix of industry cybersecurity providers.

6) Review applicable state, local or contractual requirements. There are a wide variety of federal, state, local and contractual cybersecurity rules, regulations and requirements that may be applicable to an insurance agent and broker. These include the Gramm-Leach-Bliley Act (GLBA), the New York Department of Financial Services (NYDFS), and other state insurance data security laws (generally based on the National Association of Insurance Commissioners Insurance Data Security Model Law).

Some state privacy laws also attempt to import cybersecurity requirements. Additionally, carriers increasingly propose more stringent cybersecurity requirements in their appointment contracts.

Do not fear—the Big “I" has your back. First, the Government Affairs team is constantly working with state and federal legislators and regulators in an effort to ensure any future rules and requirements are fair and reasonable.

Second, the Big “I" Office of General Counsel offers both formal and informal reviews with general guidance on company appointment contracts and works with carriers to try to ensure cybersecurity provisions that are reasonable and mutually beneficial.

Finally, some other helpful free resources on cybersecurity include:

• Coalition's free knowledge base, which includes a step-by-step guide for understanding security compliance and how Coalition can assist.

• Department of Homeland Security's top resources for small and midsize businesses, FCC's Cyber Planner; and FTC's Cybersecurity for Small Business.

Eric Lipton is Big "I" senior counsel. 

If you have any questions about the above or other issues relating to cyber coverage or cybersecurity protocols, regulations or legislation, please reach out to Big “I" Markets (Carla McGee), the Agents Council for Technology (Ron Berg or Ginny Winkworth), the Office of General Counsel (Scott Kneeland or Eric Lipton) or Big “I" Government Affairs (Charles Symington or Wes Bissett).

This article is intended for general informational purposes only. The article is not intended to constitute and should not be considered or relied upon as legal or other professional advice, nor shall it serve as a substitute for obtaining such advice. If specific expert advice is required or desired, the services of an appropriate, competent professional, such as an attorney or cybersecurity expert, should be sought.