Handling sensitive information is now one of the most critical responsibilities faced by the modern insurance agency.
Independent insurance agents and brokers must properly collect and protect sensitive client information every day. This means complying with state and federal regulations as well as adhering to customer service best practice standards.
Every state now has data breach response laws, and in the future each state's regulations may vary based on their insurance department's interpretations. The Gramm-Leach-Bliley Act ('GLBA') covers all other models and state laws, including the New York Department of Financial Services (NY DFS) and the new National Association of Insurance Commissioners (NAIC) Model, which several states have already adopted, and many others are reviewing.
These acts and regulations can be difficult to address given the multifaceted responsibilities agents encounter daily, but it must be a priority.
The Agents Council for Technology (ACT) in cooperation with our carrier, vendor, and agent/broker members and has created this Agency Cyber Guide for Big “I" independent agents and brokers. This tool includes a list of the major Federal and State regulations with clear descriptions and resources to address each, including detailed information on each vendor/service provider. Given the swift nature of change in technology and the increasing sophistication of cybercrime, this tool will be updated on a periodic basis.
Download the Cyber Guide 2.0 PDF, October, 2018
MEMBERS: Download the sample policy template here!
12 Steps for a More Secure Agency
- Risk Assessment
- Written Security Policy
- Incident Response Plan
- Staff Training and Monitoring
- Penetration Testing/Vulnerability Assessment
- Access control Protocol
- Written Security Policy for 3rd-Party Service Providers
- Encryption on Non-Public Information
- Designation of CIO
- Audit Trail
- Implementing Multi-Factor Authentication
- Procedure for Disposal of Non-Public Information
Regulations and Descriptions
Note that all regulations listed above are critical to comply with GLBA, which also covers other emerging regulation such as NY DFS. These are considered “best practices” for agency security.
Agencies doing business in the state of New York may apply for an exemption under the NY DFS 23 CRR 500 Act for some of the regulations. However, GLBA still applies. Details on NY DFS exemption eligibility and application are in the ‘Appendix’ section at the end of this document.
- Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and systems to prevent employees from
providing customer information to unauthorized individuals who seek it through fraudulent means;
- Access restrictions at physical locations containing customer information;
- Encryption of electronic customer information, including when in transit or in storage on systems where unauthorized individuals may have access;
- Procedures to ensure that customer information system modifications are consistent with an organization's information security program;
- Dual control procedures, segregation of duties and employee background checks for employees with access to customer information;
- Monitoring of systems and procedures to detect actual and attempted attacks on or intrusion into customer information systems;
- Response programs for when an organization suspects or detects that unauthorized individuals have gained access to customer information systems;
- Measures to protect customer information from destruction, loss or damage by environmental hazards or technological failure;
- Training for staff to implement the security program; and
- Regular testing of the key controls, systems, and procedures of the security program.
Data breaches of large businesses are in the news every day. Small and small to medium-sized agencies are not immune. The results can be disastrous. Communicating to your entire client base that your system—which contains their sensitive personal data—has been lost to hackers or cybercrime, can cripple your agency.
It is critical that agents and brokers:
- understand cybersecurity requirements - both Legal and Contractual,
- begin to comply and protect data,
- follow the roadmap to fully address all areas that apply to them.
Cost and Penalties for Non-compliance
Non-compliance with any of these regulations may come with a substantial penalty – These can vary by state, as do the data breach communication requirements. Penalties can be assessed as:
- Civil penalties per resident affected and/or per breach,
- Additional penalties for actual economic damages,
- Also punishable by other state-specific deceptive trade practices laws, or as prescribed by a state attorney general.
- The law that applies is the jurisdiction of the person whose data was breached.
There are also timelines for responses; may carry penalties for delays in notice.
Facts and Stats
The bottom line: Non-compliance and lack of action can have profound implications on businesses.
Compliance and Protection Roadmap
The following compliance and protection roadmap is designed to help agencies meet regulatory requirements. ACT recognizes that the threat and regulatory environment is changing rapidly, so we have developed a process to update this document as individual regulations—as well as federal and state laws—change.
MEMBERS: Download the sample policy template here!
1. Risk Assessment
A risk assessment is the identification of hazards that could negatively impact an organization's ability to conduct business. These assessments help identify inherent business risks and provide measures, processes, and controls to reduce the impact of these risks to business operations. The assessment should include a risk mitigation checklist.
- ACT/CIS 'Cyber Hygiene Toolkits' For hardware & software, the ability to Count, Configure, Control, Patch: Click here to access
2. Written Security Policy
A security policy is a document that states in writing how a company plans to protect the company's physical and information technology (IT) assets. It can also be referred to as a 'written information security policy" or “WISP".
The document must detail your agency's operations for security, governance, inventories, controls, continuity and disaster planning and systems monitoring. This includes internal and external mitigation policies.
3. Incident Response Plan
An incident response is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The goal is to handle the situation in a way that limits damage and reduces recovery time and costs while complying with federal and state regulations. This includes communication/notices to the state superintendent upon detection of a cybersecurity event and communication to customers, insurers, and third-party service providers.
This is part of an overall written security plan (see item #2 above).
4. Staff Training & Monitoring
This is a critical regulation. Even if all other areas are in compliance, one misstep by agency personnel can expose data due to malware, phishing and other incursions. ACT strongly recommends that all businesses—regardless of size—train staff on online security risks.
5. Penetration Testing and Vulnerability Assessment
Penetration testing (also called pen testing) is the annual practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit. This should be done internally and externally.
Vulnerability Assessment is a biannual process that defines, identifies, and classifies the security holes (vulnerabilities) in a computer, network or communications infrastructure.
6. Access Control Protocol
This responds to regulations requiring restricted access to non-public Information, including PII, PHI, PCI.
FTC.Gov - How to Comply with the 'Privacy of Consumer Financial Information Rule' of the Gramm-Leach-Bliley Act
7. Written Security Policy for Third-Party Service Providers
These are written policies and procedures designed to ensure the security of information systems and nonpublic information that are accessible to, or held by, third-party service providers.
Note: The NAIC refers to this an “information security program."
This is an evolving issue, with regulatory guidance to come.
Note: These elements of the NY DFS regulations do not take effect until Mar 1, 2019. We expect for guidance on this soon and will update this resource.
8. Encryption of Non-Public Information
Encryption is the process of encoding a message so that it can be read only by the sender and the intended recipient.
Non-Public Information refers to all electronic information that is not publicly-available information and for insurance purposes refers to PII (personally identifiable information), PHI (protected health information), and PCI (payment card industry data security standards).
This regulation describes the need to encrypt and protect this data when in storage and when transferred between the insurance agency and its policyholders (email)
Note: There is an exemption to this requirement, however it requires a waiver request to be submitted annually.
9. Designation of Chief Information Officer
This is the title required by NY DFS for some agencies doing business in New York.; nationally this role can be viewed as 'Data Security Coordinator'.
10. Audit Trail
An audit trail (also called an audit log) is an electronic trail that gives a step-by-step documented history of a transaction. It enables an examiner to trace the financial data from general ledger to the source document (invoice, receipt, voucher, etc.). The presence of a reliable and easy to follow audit trail is an indicator of good internal controls instituted by a firm and forms the basis of objectivity.
For agencies, using your agency management system (with all other interfacing systems) provides a solid foundation for an audit trail.
11. Implementing Multi-Factor Authentication
Multifactor authentication (MFA) is a security system that requires more than one method of authentication from different categories of credentials to verify the user's identity for a login or other transaction.
One example is a policyholder logging into an agency website and being requested to enter an additional one-time password (OTP) that the website's authentication server sends to the policyholder's phone or email address.
12. Procedure for Disposal of Non-Public Information
As with encryption, this regulation refers to all electronic information that is not publicly available, including PII, PHI and PCI.
Improper document destruction is often a downfall of small business security.
Regulations on this vary by state. Agents doing business in multiple states should adhere to the highest level of requirements. Keep in mind, there is a difference between complete disposal of information, and simply deletion.
Also, please contact your agency management system provider for their disposal protocol.
MEMBERS: Download the sample policy template here!
Cyber Security Service Providers:
The Agent Council for Technology reviewed the following service providers to understand their ability to help independent agencies comply with the various regulations. Click on the vendor name and find more detailed information on service, rates, and contact information.
Click the image to enlarge.
Additional details on laws driving regulations listed in the ACT Agency Cyber Guide:
NOTE: For some of the regulations listed in section 500.19 of the NY DFS regulations, agencies doing business in the state of NY can apply for an exemption. In general, qualifying agencies have fewer than 10 employees, or less than $5,000,000 gross annual revenue in each of the past three fiscal years or less than $10,000,000 in year-end total assets.
**However, it is strongly encouraged that agencies review and work to comply with these regulations, as they are strong tenets of a solid, effective agency security environment.
Additional insurance solutions:
Following are resources for selling Cyber Security Liability Insurance Policies :
**Do not confuse these with agency security processes detailed in this document prior to this section.
ACT would like to thank our Security Issues work group who provided the input and guidance to make this Cyber Guide 2.0 a reality, and especially our work group Chairs, Steve Aronson and George Robertson. We'd also like to share a special 'thank you' to those whose dedicated input helped shape this version: Bill Larson, Erin Odell, Jerry Fox, Joe Doherty, Kathleen Weinheimer, Paul Peeples, Rachel Tuller, and Wes Bissett.