SECURITY MUST BE A TOP AGENCY PRIORITY
New ACT Report Outlines Key Principles for Systems Security
ALEXANDRIA, Va., April 5, 2005—In this new electronic world, a careful focus on security planning and implementation has become imperative for independent agents and brokers, according to the Agents Council for Technology’s (ACT) new report, The Independent Agent’s Guide to Systems Security: What Every Agency Principal Needs to Know.
Independent agencies and brokers are increasingly becoming paperless, relying on computers for their customer information, and communicating with their carriers and customers electronically.
“A virus that spreads throughout an agency’s systems can bring our work to a standstill and take considerable time and money to fix,” says Brian Bartosh, president of the Top O’Michigan Insurance Agency in Alpena, Mich., and chair of the ACT Agency Security Issues Work Group. “A security breach exposing our customers’ personal information could expose an agency to significant potential liability and severely damage the agency’s reputation in its community—a reputation that the agency has spent years building.”
“Protecting agency security is becoming more important every day,” says Jeff Yates, ACT executive director. “ACT felt it was extremely important to develop a guide specifically focused on the security risks facing agents and brokers and to present the recommendations in non-technical language that would be readily understood by agency business leaders.”
The ACT guide takes the reader through “A Day in the Life of an Independent Agent” to provide a context for the security risks agencies are likely to face. The report also includes an extremely useful security self-assessment tool, a sample agency security policy, and guidance on choosing an outside security consultant if desired. The last section of the tool provides recommendations to assist an agency to prepare in advance should a security breach occur, so that the agency does not have to resort to “ad hoc” action after the fact.
“ACT believes it is vital for the agency principal to understand the security risks that his or her agency faces, to communicate the importance of security throughout the agency and then to oversee the agency’s efforts to develop and then implement a comprehensive security policy,” Bartosh says. “Agents will find this tool to be very useful whether or not they decide to retain an outside security expert to assist them in responding to these risks.”
“The report also drives home that managing security risk is an ongoing and never-ending process,” Yates adds. “New employees need to be trained on the policy; compliance must be monitored and traffic ‘logged’ for any unusual activity; security should be brought up periodically in staff meetings to keep the issues front and center for the staff; and just as one security ‘hole’ is plugged, an agency must be prepared for another one to emerge.”
The report says agencies should:
· Have an individual login and password for each employee and understand the need to keep this information strictly confidential. Logins and passwords determine who has access to your systems, your data and your customer’s confidential information. The agency’s procedures should assure that an employee’s access to the agency’s and carrier’s systems is terminated immediately when the employee is no longer employed by the agency.
· Activate the access controls on the agency management system and restrict access to confidential customer and employee information to only those employees who have a business need to access that information.
· Have their employees sign a confidentiality agreement acknowledging and protecting the agency’s ownership of all of its data and policyholder information and agreeing not to copy, transmit it or post it to a Web site except as authorized by the agency.
· Have a security policy covering incoming and outgoing emails; prohibit opening attachments in emails from unknown sources, downloading music or video files, and accessing non-business websites; restrict downloading applications without permission; and prohibit family member use of agency computers. Each of these activities carries the risk of infecting the agency’s systems with a virus or other “malware.”
· Have firewalls as well as protection from viruses and other types of “malware” at both the network level and on the agency’s desktops and laptops. This protection software should be updated with new virus definitions on a regular, scheduled basis, such as daily. Operating system security updates should also be made on a timely basis after assuring that the “bugs” have been worked out of these updates.
· Take special care to keep the firewall and virus protection within laptops up-to-date, because of the likelihood laptops will be used in public locations having wireless connections, where the agency’s network level firewall and virus protection are not available.
· Determine what types of agency data may be kept on PDAs and laptops, because of the risk that these items can be lost. If confidential agency data needs to be kept on the laptop, then this data should be encrypted, if possible.
· Activate security features and change default settings when wireless networks are used.
· Actively manage the logs generated by their systems for any unusual activity that suggests Spyware or some other unauthorized use of the agency’s systems.
To download The Independent Agent’s Guide to Systems Security: What Every Agency Principal Needs to Know, please visit www.independentagent.com/act; the report is available on the home page.
Established in 1999 by the Independent Insurance Agents & Brokers of America (the Big “I”), ACT provides a candid, action-oriented forum for agent and industry associations, user groups, companies and vendors to address critical technology and workflow issues facing the independent agency system.
Founded in 1896, the Big “I” is the nation’s oldest and largest national association of independent insurance agents and brokers, representing a network of more than 300,000 agents, brokers and their employees nationally. Its members are businesses that offer customers a choice of policies from a variety of insurance companies. Independent agents and brokers offer all lines of insurance—property, casualty, life and health—as well as employee benefit plans and retirement products. Web address: www.independentagent.com.