Handling sensitive information is now one of the most critical responsibilities faced by the modern insurance agency.
Independent insurance agents and brokers must properly collect and protect sensitive client information every day. This means complying with state and federal regulations as well as adhering to customer service best practice standards.
Every state now has data breach response laws, and in the future, each state's regulations may vary based on their insurance department's interpretations. The Gramm-Leach-Bliley Act ('GLBA') covers all other models and state laws, including the New York Department of Financial Services (NY DFS) and the new National Association of Insurance Commissioners (NAIC) Model, which several states have already adopted, and many others are reviewing.
“A State Statute, Regulation, Order, or Interpretation is not inconsistent with the provisions of the GLBA if the protection offered by the Statute, Regulation, Order or Interpretation is greater than that offered under the GLBA. The States are required to implement and enforce the GLBA Privacy Requirements for Insurance Agents, Brokers, and Carriers."
IIABA General Counsel 2016 – “The Privacy Provisions of The Gramm-Leach-Bliley Act and Their Impact on Insurance Agents & Brokers"
** GLBA is the threshold for financial institutions and insurance companies and agencies. State Laws are mandated to comply with GLBA and if the state wishes to make changes, they must exceed what is required under GLBA.
These acts and regulations can be difficult to address given the multifaceted responsibilities agents encounter daily, but it is mandatory and must be a priority.
IMPORTANT: In 2016, The Big I General Counsel did an in-depth review of the GLB Act and provided significant insights on the data security, carrier contracts and overall information security implications of this mandatory Federal Act.
Please review the privacy provisions as detailed in THIS DOCUMENT to gain insights on their impact to you as an independent agent - Particularly the data security requirements and contract implications detailed in Section VI on pages 5 & 6.
The Agents Council for Technology (ACT) in cooperation with our carrier, vendor, and agent/broker members and has created this Agency Cyber Guide for Big I" independent agents and brokers. This tool includes a list of the major Federal and State regulations with clear descriptions and resources to address each, including detailed information on each vendor/service provider. Given the swift nature of change in technology and the increasing sophistication of cybercrime, this tool will be updated on a periodic basis.
Download the Cyber Guide 2.0 PDF Feb 2020
MEMBERS ONLY: Download the Written Security Policy template here!
12 Steps for Agency Compliance - As defined by GLBA
- Risk Assessment
- Written Security Policy
- Incident Response Plan
- Staff Training and Monitoring
- Penetration Testing/Vulnerability Assessment
- Access control Protocol
- Written Security Policy for 3rd-Party Service Providers
- Encryption on Non-Public Information
- Designation of CIO
- Audit Trail
- Implementing Multi-Factor Authentication
- Procedure for Disposal of Non-Public Information
Regulations and Descriptions
Note that all regulations listed above are critical to comply with GLBA, which also covers other emerging regulation such as NY DFS. These are considered best practices for agency security.
Agencies doing business in the state of New York may apply for an exemption under the NY DFS 23 CRR 500 Act for some of the regulations. However, GLBA still applies. Details on NY DFS exemption eligibility and application are in the Appendix section at the end of this document.
- Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and systems to prevent employees from
providing customer information to unauthorized individuals who seek it through fraudulent means;
- Access restrictions at physical locations containing customer information;
- Encryption of electronic customer information, including when in transit or in storage on systems where unauthorized individuals may have access;
- Procedures to ensure that customer information system modifications are consistent with an organization's information security program;
- Dual control procedures, segregation of duties and employee background checks for employees with access to customer information;
- Monitoring of systems and procedures to detect actual and attempted attacks on or intrusion into customer information systems;
- Response programs for when an organization suspects or detects that unauthorized individuals have gained access to customer information systems;
- Measures to protect customer information from destruction, loss or damage by environmental hazards or technological failure;
- Training for staff to implement the security program; and
- Regular testing of the key controls, systems, and procedures of the security program.
It is critical that agents and brokers understand and comply with GLBA requirements to protect their clients' data.
For additional background and resources, review this series of webinars offered by the Big 'I' Illinois state association:
Cost and Penalties for Non-compliance
Non-compliance with any of these regulations may come with a substantial penalty These can vary by state, as do the data breach communication requirements. Penalties can be assessed as:
- Civil penalties per resident affected and/or per breach,
- Additional penalties for actual economic damages,
- Also punishable by other state-specific deceptive trade practices laws, or as prescribed by a state attorney general.
- The law that applies is the jurisdiction of the person whose data was breached.
There are also timelines for responses; may carry penalties for delays in notice.
The IIABA Office of General Counsel's paper “The Privacy Provisions of the Gramm-Leach-Bliley Act and Their Impact on Insurance Agents & Brokers" defines the penalties for noncompliance under section VIII – Enforcement as follows:
1 Penalties for Insurance related entities are enforced by each state's Department of Insurance.
2 Civil action against any financial institution that engages in conduct constituting a violation of the Act.
3 Financial institutions found to have violated the Act can be fined –
A Up to $100,000 for each violation.
B Officers and directors of the financial institution ('agencies') may be personally liable for a civil penalty of not more than $10,000 per violation.
Costs and Penalties for Noncompliance could include the following -
1 Legal expenses
2 Computer forensics expenses
3 Notification and call center expenses
4 Crisis management and public relations expenses
5 Cyber extortion expenses
6 Data restoration expenses
7 Business interruption expenses
8 Dependent business interruption expenses
9 Fraudulent transfer of funds
10 Possible ID monitoring and protection expenses
1 Privacy and security related litigation expenses – lawsuits filed by customers or employees
2 Regulatory fines – fines by state and federal regulators
3 Agencies could be subject to payment card losses – fines and penalties from credit card companies and PCI requirements
AGENCY FINANCIAL PENALTIES DUE TO A BREACH - AS DEFINED IN AGENCY CONTRACTS
As a result of the hold harmless and indemnification sections of agency/carrier agreements, the agency could be required to pay the following costs and expenses, which would be in addition to the direct cost and expenses incurred by the agency in defense of their actions.
1 Pay all costs of the investigation by the Carrier, both of the Agency as well as the costs of a national investigation since the breach originated at the agency level.
2 Pay all costs of the required notifications by the Carrier.
3 Pay all costs of attorney fees that were accrued by the Carrier.
4 Pay all defense and liability costs accrued by the Carrier.
5 Pay any additional costs accrued by the carrier as a result of the Agency's executed agency-carrier agreement.
Real-World IA Breaches
Data breaches of large businesses are in the news every day. Small and small to medium-sized agencies are not immune.
The results can be disastrous. Communicating to your entire client base that your system which contains their sensitive personal data has been lost to hackers or cybercrime, can cripple your agency.
Facts and Stats
The bottom line: Non-compliance and lack of action can have profound financial implications for your agency.
Compliance and Protection Roadmap
The following items in this compliance and protection roadmap are designed to help agencies meet regulatory requirements. ACT recognizes that the threat and regulatory environment is changing rapidly, so we have developed a process to update this document as individual regulations as well as federal and state laws change.
MEMBERS: Download the sample policy template here!
1. Risk Assessment
A risk assessment is the identification of hazards that could negatively impact an organization's ability to conduct business. These assessments help identify inherent business risks and provide measures, processes, and controls to reduce the impact of these risks to business operations. The assessment should include a risk mitigation checklist.
- ACT/CIS 'Cyber Hygiene Toolkits' For hardware & software, the ability to Count, Configure, Control, Patch: Click here to access
2. Written Security Policy
A security policy is a document that states in writing how a company plans to protect the company's physical and information technology (IT) assets. It can also be referred to as a 'written information security policy" or WISP".
The document must detail your agency's operations for security, governance, inventories, controls, continuity and disaster planning and systems monitoring. This includes internal and external mitigation policies.
3. Incident Response Plan
An incident response is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The goal is to handle the situation in a way that limits damage and reduces recovery time and costs while complying with federal and state regulations. This includes communication/notices to the state superintendent upon detection of a cybersecurity event and communication to customers, insurers, and third-party service providers.
This is part of an overall written security plan (see item #2 above).
4. Staff Training & Monitoring
This is a critical regulation. Even if all other areas are in compliance, one misstep by agency personnel can expose data due to malware, phishing and other incursions. ACT strongly recommends that all businesses regardless of size train their staff on online security risks.
5. Penetration Testing and Vulnerability Assessment
Penetration testing (also called pen testing) is the annual practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit. This should be done internally and externally.
Vulnerability Assessment is a biannual process that defines, identifies, and classifies the security holes (vulnerabilities) in a computer, network or communications infrastructure.
6. Access Control Protocol
This responds to regulations requiring restricted access to non-public information, including PII, PHI, PCI.
- FTC.Gov - How to Comply with the 'Privacy of Consumer Financial Information Rule' of the Gramm-Leach-Bliley Act
7. Written Security Policy for Third-Party Service Providers
These are written policies and procedures designed to ensure the security of information systems and nonpublic information that are accessible to, or held by, third-party service providers.
Note: The NAIC refers to this an information security program."
This is an evolving issue, with regulatory guidance to come.
Note: This element of the NY DFS regulations take effect Mar 1, 2019. We are working with Big 'I' national and NY state representatives to develop a balanced approach.
8. Encryption of Non-Public Information
Encryption is the process of encoding a message so that it can be read-only by the sender and the intended recipient.
Non-Public Information refers to all electronic information that is not publicly available information and for insurance purposes refer to PII (personally identifiable information), PHI (protected health information), and PCI (payment card industry data security standards).
This regulation describes the need to encrypt and protect this data when in storage and when transferred between the insurance agency and its policyholders (email)
Note: There is an exemption to this requirement, however, it requires a waiver request to be submitted annually.
9. Designation of Chief Information Officer
This is the title required by NY DFS for some agencies doing business in New York.; nationally this role can be viewed as 'Data Security Coordinator'.
10. Audit Trail
An audit trail (also called an audit log) is an electronic trail that gives a step-by-step documented history of a transaction. It enables an examiner to trace the financial data from general ledger to the source document (invoice, receipt, voucher, etc.). The presence of a reliable and easy-to-follow audit trail is an indicator of good internal controls instituted by a firm and forms the basis of objectivity.
For agencies, using your agency management system (with all other interfacing systems) provides a solid foundation for an audit trail.
11. Implementing Multi-Factor Authentication
Multifactor authentication (MFA) is a security system that requires more than one method of authentication from different categories of credentials to verify the user's identity for a login or other transaction.
One example is a policyholder logging into an agency website and being requested to enter an additional one-time password (OTP) that the website's authentication server sends to the policyholder's phone or email address.
12. Procedure for Disposal of Non-Public Information
As with encryption, this regulation refers to all electronic information that is not publicly available, including PII, PHI and PCI.
Improper document destruction is often a downfall of small business security.
Regulations on this vary by state. Agents doing business in multiple states should adhere to the highest level of requirements. Keep in mind, there is a difference between complete disposal of information, and simply deletion.
Also, please contact your agency management system provider for their disposal protocol.
MEMBERS: Download the sample policy template here!
Cyber Security Service Providers:
The Agent Council for Technology reviewed the following service providers to understand their ability to help independent agencies comply with the various regulations. Click on the vendor name and find more detailed information on service, rates, and contact information.
Click the image to enlarge.
Additional details on laws driving regulations listed in the ACT Agency Cyber Guide:
NOTE: For some of the regulations listed in section 500.19 of the NY DFS regulations, agencies doing business in the state of NY can apply for an exemption. In general, qualifying agencies have fewer than 10 employees, or less than $5,000,000 gross annual revenue in each of the past three fiscal years or less than $10,000,000 in year-end total assets.
**However, it is strongly encouraged that agencies review and work to comply with these regulations, as they are strong tenets of a solid, effective agency security environment.
Additional insurance solutions:
Following are resources for selling Cyber Security Liability Insurance Policies :
**Do not confuse these with agency security processes detailed in this document prior to this section.