The following items in this compliance and protection roadmap are designed to help agencies meet regulatory requirements. ACT recognizes that the threat and regulatory environment is changing rapidly, so we have developed a process to update this document as individual regulations as well as federal and state laws change.
MEMBERS: Download the sample policy template here!
1. Risk Assessment
A risk assessment is the identification of hazards that could negatively impact an organization's ability to conduct business. These assessments help identify inherent business risks and provide measures, processes, and controls to reduce the impact of these risks to business operations. The assessment should include a risk mitigation checklist.
- ACT/CIS 'Cyber Hygiene Toolkits' For hardware & software, the ability to Count, Configure, Control, Patch: Click here to access
2. Written Security Policy
A security policy is a document that states in writing how a company plans to protect the company's physical and information technology (IT) assets. It can also be referred to as a 'written information security policy" or WISP".
The document must detail your agency's operations for security, governance, inventories, controls, continuity and disaster planning and systems monitoring. This includes internal and external mitigation policies.
3. Incident Response Plan
An incident response is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The goal is to handle the situation in a way that limits damage and reduces recovery time and costs while complying with federal and state regulations. This includes communication/notices to the state superintendent upon detection of a cybersecurity event and communication to customers, insurers, and third-party service providers.
This is part of an overall written security plan (see item #2 above).
4. Staff Training & Monitoring
This is a critical regulation. Even if all other areas are in compliance, one misstep by agency personnel can expose data due to malware, phishing and other incursions. ACT strongly recommends that all businesses regardless of size train their staff on online security risks.
5. Penetration Testing and Vulnerability Assessment
Penetration testing (also called pen testing) is the annual practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit. This should be done internally and externally.
Vulnerability Assessment is a biannual process that defines, identifies, and classifies the security holes (vulnerabilities) in a computer, network or communications infrastructure.
6. Access Control Protocol
This responds to regulations requiring restricted access to non-public information, including PII, PHI, PCI.
- FTC.Gov - How to Comply with the 'Privacy of Consumer Financial Information Rule' of the Gramm-Leach-Bliley Act
7. Written Security Policy for Third-Party Service Providers
These are written policies and procedures designed to ensure the security of information systems and nonpublic information that are accessible to, or held by, third-party service providers.
Note: The NAIC refers to this as an information security program."
This is an evolving issue, with regulatory guidance to come.
Note: This element of the NY DFS regulations take effect Mar 1, 2019. We are working with Big 'I' national and NY state representatives to develop a balanced approach.
8. Encryption of Non-Public Information
Encryption is the process of encoding a message so that it can be read-only by the sender and the intended recipient.
Non-Public Information refers to all electronic information that is not publicly available information and for insurance purposes refer to PII (personally identifiable information), PHI (protected health information), and PCI (payment card industry data security standards).
This regulation describes the need to encrypt and protect this data when in storage and when transferred between the insurance agency and its policyholders (email)
Note: There is an exemption to this requirement, however, it requires a waiver request to be submitted annually.
9. Designation of Chief Information Officer
This is the title required by NY DFS for some agencies doing business in New York.; nationally this role can be viewed as 'Data Security Coordinator'.
10. Audit Trail
An audit trail (also called an audit log) is an electronic trail that gives a step-by-step documented history of a transaction. It enables an examiner to trace the financial data from general ledger to the source document (invoice, receipt, voucher, etc.). The presence of a reliable and easy-to-follow audit trail is an indicator of good internal controls instituted by a firm and forms the basis of objectivity.
For agencies, using your agency management system (with all other interfacing systems) provides a solid foundation for an audit trail.
11. Implementing Multi-Factor Authentication
Multifactor authentication (MFA) is a security system that requires more than one method of authentication from different categories of credentials to verify the user's identity for a login or other transaction.
One example is a policyholder logging into an agency website and being requested to enter an additional one-time password (OTP) that the website's authentication server sends to the policyholder's phone or email address.
12. Procedure for Disposal of Non-Public Information
As with encryption, this regulation refers to all electronic information that is not publicly available, including PII, PHI and PCI.
Improper document destruction is often a downfall of small business security.
Regulations on this vary by state. Agents doing business in multiple states should adhere to the highest level of requirements. Keep in mind, there is a difference between complete disposal of information, and simply deletion.
Also, please contact your agency management system provider for their disposal protocol.
MEMBERS: Download the sample policy template here!