Independent agents are facing rapidly developing challenges in cyber risk and security that have emerged in the last 18 months. Client risk exposures, agency technologies, and the way agents work are all being affected, often in dramatic ways.
Most independent agencies do not have the in-house manpower or expertise to navigate such a deluge of change. They would be best advised to partner with IT cybersecurity professionals to help them protect their own agencies and to communicate risk to their clients. Here are several key areas in which cybersecurity experts can help your agency and your clients:
Establish cybersecurity protocols
Last year, in the mad rush to pivot to a work-from-home environment, many companies in widespread industries stepped out from behind their firewalls into an unprotected, “wild west" with no VPNs, no secure Wi-Fi, and no device controls. Many companies, particularly first-timers to remote work, failed to address and manage the cybersecurity risks.
Vulnerabilities surged: Multiple new devices and new entry points for workplace networks were shared with family members and schools; employees worked remotely on public networks at local coffee shops; information was downloaded from unknown sources. When the attack vectors combined, cyberattacks, ransomware and email phishing attempts skyrocketed.
A key challenge with remote work is that employees must be more self-reliant when it comes to computer and network security. People are working but also managing interruptions and distractions, so they're not always meeting their security obligations. They don't have an IT security expert at home making sure their computers and online connections are secure. Without a protocol to follow, security is difficult to self-manage.
Agents are also finding it more difficult to liaise with their clients and diagnose client risk when clients are working remotely. Because of all the attack vectors involved in a remote work setting, remediation companies have found it difficult to pinpoint breach sources.
Now that hybrid-remote work has become permanent in many organizations, it's imperative for companies to address the cyber risks associated with it. Protocols need to be established — such as BYOD policies, online meeting safety checklists, and cyber hygiene practices. And then companies need to find ways to enforce those protocols.
Focus on secure workflows and technology
Digital transformation and insurtech are exciting when they create more efficient workflows in the insurance industry. But new technologies are also creating some new security concerns.
As digital solutions make it possible to automate manual processes in a paperwork-intensive industry, insurtech must make sure security integrity remains a top priority.
And before they implement any new digital solutions, apps, or integrations, agencies must validate that the systems and software are secure and meet industry standards for cybersecurity. Any time new apps are integrated into a system, agencies must be able to answer critical security questions, such as the following:
- Are these new apps encrypting client data?
- Who is authorized to access these apps?
- Are there administrators trained to monitor use and detect any misuse?
Data stewardship cannot be overlooked by any organization or business. Regardless of who is operating the system or the software, businesses have the responsibility to protect their clients' data. That responsibility cannot be passed off onto another party.
Expert cyber education for your team and your clients
There's now a cybersecurity digital divide separating many businesses. Although some mature organizations have effective policies and protocols in practice, other firms are so overwhelmed that they don't know where to start. Some businesses don't really care what a ransomware attack looks like and don't want to waste time trying to interpret industry jargon. They simply want to be protected by cyber solutions that won't disrupt their core business — that are fast, affordable and easy to implement.
Cybersecurity is changing constantly, and there can be E&O risk to getting the facts wrong. Agents possess specific expertise when it comes to policies and coverage, but they often aren't positioned to be cybersecurity educators.
As a result, agencies best serve themselves and their clients by leaving cybersecurity education to the IT professionals. Agencies should leverage independent recommendations from skilled specialty IT professionals who have the demonstrated domain experience in cyber risk.
Agents should always focus their individual efforts on connecting with their clients in the language of a client's business, quantifying their risk in plain, jargon-free language.
Employ risk assessment solutions
One approach that agents can use to provide better coverage for their clients is through independent risk assessment solutions. An independent risk assessment firm can diagnose risk up front, pinpointing key vulnerabilities. This more effective and efficient risk assessment process can help agents differentiate themselves by providing a convenient service to clients that replaces extensive apps, streamlining the marketing process and getting the proper coverage for their clients.
Bill Haber (bh@tekrisq.com) is CEO and co-founder of new ACT member TEKRiSQ, a risk assessment, and technology consulting firm.
BONUS: ACT's Agency Cyber Guide 3.0 (which also includes an Agency Cyber-Readiness Self-Assessment tool) is an excellent resource to assist as you focus on the cyber security issues mentioned in this article.