The world of cybercrime, data breaches, and loss of personal information is accelerating. Add to the mix the regulations imposed on small businesses from Gramm-Leach-Bliley, the New York DFS and NAIC, and it becomes a dizzying quandary on where to begin. Our ACT Security Issues Work Group has recently upgraded their Agency Cyber Guide to include increased information not only on regulations and how to get started, but also a comprehensive list of cyber vendors who offer solutions to assist agencies in ensure their critical data and systems are protected.
Handling sensitive information is now one of the most critical responsibilities faced by the modern insurance agency. Independent insurance agents and brokers must properly collect and protect sensitive client information every day. This means complying with state and federal regulations as well as adhering to customer service best practice standards.
Every state now has data breach response laws - and in the future, each state's regulations may vary based on their insurance department's interpretations. The Gramm-Leach-Bliley Act ('GLBA') covers all other models and state laws are emerging, most prominently the New York Department of Financial Services (NY DFS) which puts onus on any entity transacting business in the state of NY (not just domiciled in NY).
Now emerging is the new National Association of Insurance Commissioners (NAIC) Insurance Data Security Model, which several states have already adopted, and many others are reviewing.
These acts and regulations can be difficult to address given the multifaceted responsibilities agents encounter daily, but it must be a priority.
The Agents Council for Technology (ACT) in cooperation with our carrier, vendor, and agent/broker members and has created and now updated our Agency Cyber Guide 2.0" for Big I" independent agents and brokers. This tool includes a list of the major Federal and State regulations with clear descriptions and resources to address each, including detailed information on each vendor/service provider. Given the swift nature of change in technology and the increasing sophistication of cybercrime, this tool will be updated on a periodic basis.
Understanding the escalation and threat of cyber attacks is one part of the picture. Check out the trend in overall US data breaches:
2014: Over 1 billion records exposed
2015: 707 million records exposed
2016: 1.37 billion records exposed
2017: 2.6 billion records exposed
2018: On track for 9 billion records exposed.
ID theft, ransomware, and a focus on small businesses are key to this huge increase.
And when we say small businesses', we mean independent agencies.
In 2015, only 0,15% of total records compromised were from the financial sector
In 2016, it was 0.96%
In 2017, it leapt to 7.25%
In 2018, it has almost doubled to 14%!
The costs to a business experiencing a breach are staggering. The Ponemon Institute indicates that Cyber-attacks cost small businesses between $84,000-$148,000, and can reach as high as $690,000.
Even more concerning, from several recent studies almost 60% of small businesses go out of business within six months of an attack. Imagine being the trusted guardian of your customers' data and them being required to communicate that their data has been breached.
It's not all bad news Our Agency Cyber Guide 2.0 breaks down the cyber landscape with clear insights, lists all regulations with resources to address them, AND provides a vendor matrix, listing a wealth of cyber vendor providing services across the regulatory spectrum.
The bottom line is that non-compliance and lack of action can have profound implications on businesses. The 'Compliance and Protection Roadmap' within ACT's Agency Cyber Guide 2.0" will help you overcome the hurdles!
One additional note is regarding the NY DFS looming regulation 500.11 which relates to third-party service providers this goes into effect March 1, 2019. ACT, the Big 'I' National Association Counsel and the Big 'I' of NY are working with industry insurance carriers to address the requirement which considers independent agents of insurance carriers as 'third-party providers'. More to come on this nationally soon.
NOTE ON THIS DOCUMENT: With this resource ACT is working to maintain accurate information as it emerges. We will update this document as frequently as needed to add new regulations, resources, and vendor assistance. For the full document, click here.