Powered by Big “I” Agents Council For Technology
Agency
Cyber Guide
Empower your agency with smart, strategic technology insights.
Agency Cyber Roadmap and Resources
Disclaimer: This guide is intended for general informational purposes only. IIABA and its subsidiaries and affiliates shall not be held responsible for any liability relating to this guide or reliance on any information contained or referenced herein.
IIABA does not guarantee the accuracy or completeness of any information contained or referenced herein. Such information is not intended to constitute and should not be considered investment, accounting, legal or other professional advice. If specific expert advice is required or desired, the services of an appropriate, competent professional, such as an attorney or accountant, should be sought.
How to Use This Roadmap
This roadmap is designed to help agencies understand cybersecurity regulatory requirements. While the steps are listed in a suggested sequence, you can explore them in any order. However, to gain a complete picture of your risks, we recommend starting with a Risk Assessment. From there, identify the areas that matter most to your organization and prioritize your next steps.
For each regulation, we have listed examples of industry and external resources. ACT provides these based on our awareness of services offered, but does not endorse any specific service providers.
Risk Assessment
Typically this is the first step on your roadmap. A Risk Assessment is the identification of hazards that could negatively impact an organization’s ability to conduct business. These assessments help identify inherent business risks and provide measures, processes, and controls to reduce the impact of these risks to business operations. The assessment should include a risk mitigation checklist.
Resources presented by the National Cyber Alliance on how to stay safe online.
A cybersecurity and forensics firm supporting businesses nationwide.
Written Security Policy
A security policy is a document that states in writing how a company plans to protect the company’s physical and information technology (IT) assets. It can also be referred to as a “written information security policy” or “WISP”.
The document must detail your agency’s operations for security, governance, inventories, controls, continuity and disaster planning and systems monitoring. This includes internal and external mitigation policies.
ACT Cybersecurity Policy Template
A free agency resource to create a written agency security policy – Requires Big ‘I’ ID & password to access.
FCC Cyber Security Planning Guide
This planning guide is designed to meet the specific needs of your company, using the FCC’s customizable Small Biz Cyber Planner tool.
Incident Response Plan
An Incident Response Plan is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an ‘incident’). The goal is to handle the situation in a way that limits damage and reduces recovery time and costs while complying with federal and state regulations. This includes communication/notices to the state superintendent upon detection of a cybersecurity event and communication to customers, insurers, and third-party service providers. This is part of an overall written security plan.
NCSL Security Breach Notification Laws by State
NCSL serves state legislators and their staff. This site provides general comparative information only and should not be relied upon or construed as legal advice
Staff Training and Monitoring
This is a critical regulation. Even if all other areas are in compliance, one misstep by agency personnel can expose data due to malware, phishing, and other incursions. ACT strongly recommends that all businesses regardless of size train their staff on online security risks.
Learn how detect phishing threats and more.
Effective awareness training dealing with the changes made in workplaces.
Cybersecurity Employee Training Guidelines from Travelers
Security awareness training teaching employees to understand vulnerabilities and threats to businesses
Penetration Testing And Vulnerability Assessment
- Penetration Testing (also called ‘Pen Testing’) is the annual practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit. This should be done internally and externally.
- Vulnerability Assessment is a biannual process that defines, identifies, and classifies the security holes (vulnerabilities) in a computer, network or communications infrastructure.
Details the differences between Penetration Testing and Vulnerability Assessments
Access Control Protocol
This responds to regulations requiring restricted access to non-public information, including PII, PHI, PCI.
How to Comply with the ‘Privacy of Consumer Financial Information Rule’ of the Gramm-Leach-Bliley Act
Written Security Policy For Third-Party Service Providers
These are written policies and procedures designed to ensure the security of information systems and nonpublic information that are accessible to, or held by, third-party service providers. The NAIC refers to this as an information security program.
ACT Cybersecurity Policy Template
Third-Party Service Provider compliance and other related cybersecurity services – Requires Big ‘I’ ID & password to access
Encryption Of Non-Public Information
Encryption is the process of encoding a message so that it can be read only by the sender and the intended recipient.
Non-Public Information refers to all electronic information that is not publicly available information and for insurance purposes refer to PII (personally identifiable information), PHI (protected health information), and PCI (payment card industry data security standards).
This regulation describes the need to encrypt and protect this data when in storage and when transferred between the insurance agency and its policyholders (example: email).
Note: There is an exemption to this regulation, however it requires a waiver request to be submitted annually. See your state regulations HERE.
Data Encryption 101: The Quick Guide to Data Encryption Best Practices
A quick guide to Data Encryption and best practices.
The Best Encryption Software for 2025
Just because you have antivirus software installed on your PC doesn’t mean a zero-day Trojan can’t steal your personal data. The best encryption software keeps you safe from malware.
TLS – Transport Layer Security
Learn about TLS (Transport Layer Security) , designed to facilitate privacy and data security for communications over the Internet.
Designation Of Chief Information Officer
A Chief Information Officer is an executive-level leader responsible for an organization’s information technology and computer systems. While a CIO is not universally required by law in every state for every business, industry-specific regulations and the increasing importance of information security often necessitate having a dedicated individual or role responsible for IT governance and cybersecurity. The title is required by NY DFS for some agencies doing business in New York.
CIO Handbook
US Chief Information Officers Council – Official US Government site providing resources for CIO’s understand the CIO role
Audit Trail
An audit trail (also referred to as an ‘audit log’) is an electronic trail that gives a step-by-step documented history of a transaction. It enables an examiner to trace the financial data from general ledger to the source document (invoice, receipt, voucher, etc.). The presence of a reliable and easy-to-follow audit trail is an indicator of good internal controls instituted by a firm and forms the basis of objectivity. For agencies, using your agency management system (with all other interfacing systems) provides a solid foundation for an audit trail.
NIST (National Institute of Standards & Technology) Computer Security Resource Center
National Institute of Standards and Technologies – Computer Security Resource Center Assistance on Audit Trails
Implementing Multi-Factor Authentication
Multi-factor authentication (MFA) is a security system that requires more than one method of authentication from different categories of credentials to verify the user’s identity for a login or other transaction.
One example is a policyholder logging into an agency website and being requested to enter an additional one-time password (OTP) that the website’s authentication server sends to the policyholder’s phone or email address.
ID Federation was formed to provide an answer to the industry challenge of limiting the proliferation of IDs and passwords to do business.
Procedure For Disposal Of Non-Public Information
As with encryption, this regulation refers to all electronic information that is not publicly available, including PII, PHI and PCI. Improper document destruction is often a downfall of small business security.
Regulations on this vary by state. Agents doing business in multiple states should adhere to the highest level of requirements. Keep in mind, there is a difference between complete disposal of information, and simply deletion.
Better Business Bureau (BBB) Cybersecurity Business Resources
Large collection of resources, tips guides etc.
US Small Business Administration Cybersecurity Guide
Learn about cybersecurity threats and how to protect yourself.
Copyright © 2024 Independent Insurance Agents & Brokers of America, Inc. All rights reserved. No portion of this guide may be reproduced in any manner without the prior written consent of IIABA.
