Cybersecurity is a big topic with many aspects to consider. This article aims to bring clarity about three areas of cybersecurity as it relates to independent insurance agencies. In that spirit, the article is written in three parts to allow you to skip directly to the part that you are interested in.
Part I. Understanding the Threat of Cyber Breaches explores the current state of cybersecurity worldwide, the pace of breaches, and the tangible costs of breaches. Click here to jump to that section. (Jump to Part I)
Part II. What Does This Mean for the Independent Agent analyzes how cybersecurity and breaches impact independent agents. We have provided a data breach calculator to estimate how much one breach can cost your agency. (Jump to Part II)
Part III. How to Protect Your Agency from Hackers offers action items and resources that your agency can apply today to protect itself. We’ve assembled a 10-point checklist you can use to protect your agency. You can also share this checklist with your policyholders and show prospective customers how your agency is being proactive in fighting cybersecurity threats. (Jump to Part III)
IdentityForce states that reported data breaches in 2016 increased by 40% over 2015. Also, Yahoo announced the largest data breach in history last year, affecting more than one billion accounts.
2017 is on pace to be the worst year for cybersecurity, says InfoWorld.
We’re all aware of the recent Equifax scare (and since we started drafting this article, they’ve been hit again!). Did you even know of these other victims?
….and the list goes on. (Source: Idtheftcenter.org)
Most disturbing is that many of the recent large breaches occurred years ago with IT teams only recently discovering or disclosing the damage. InfoWorld says we may never know the extent of the true damage because the vast majority of incidents are never reported.
In the past, hackers prided themselves by breaking into single systems. Today, their mission is all encompassing, including the cloud.
Leading market analyst, Juniper Research, estimates that cybercrime will cost businesses over $2.1 Trillion globally by 2019, almost quadrupling the estimated cost of breaches in 2015.
IBM Security sponsors a study conducted by Ponemon Institute, the 2017 Cost of Data Breach Study. The study presents some interesting findings.
It means your professional livelihood could be severely affected or destroyed if you do not implement cybersecurity measures.
The Agents Council for Technology (ACT) has summarized the findings of the 2016 Agency Universe Study (conducted by IIABA, an independent research firm, and independent agencies). The study shows cyber concerns are now at the top of every agent’s technology list. Statistics show that 50% of small and medium-sized businesses suffered a cyberattack in 2016.
Despite these concerns, few have implemented security measures.
The plethora of information floating around on cybersecurity is overwhelming. We get it. It’s almost too much to even think about. Why should you even worry about it as a small business?
Answer: Because, if the Big Boys aren’t safe from malicious cyber attacks, neither are you.
Serious criminals are now more likely to skip the local donut shop, which provides them with just credit card information, and go straight to the sugar factory – the financial sector. This sector not only has credit card information, but also a treasure trove of Personal Identifiable Information (PII) like bank account numbers, addresses, social security numbers, driver license numbers, dates of birth, and personal health information. Does this data sound familiar? It’s everything that your insurance agency stores for their policyholders.
Owners of small businesses often say they don’t have the money, time, or infrastructure to invest in cyber liability insurance. But have you ever considered the cost of not having cyber protection?
"Contrary to popular belief, smaller businesses actually have 'all the more reason why they should buy the coverage—they don’t have the assets to protect themselves and cover their bottom line.'"
Alex Wayne
Executive Vice President, A.J. Wayne & Associates, Inc.
Insurance Broker, Chicago, IL
(Source: iamagainze.com)
All states but two (Alabama and South Dakota, as of the date of this writing) have cyber breach notification laws. This is good news for the customer, but creates complexity for the independent agent who has to understand and comply with each state’s distinct cyber breach laws. If you do business in any of these 48 states, you may be at risk of being fined if you don't have a cybersecurity plan. Studies show you are at risk of spending anywhere from $1,000 - $100,000 per incident. And according to Ponemon Institute the average price for small businesses to recover after a hack stands at $690,000 (Source: ACT).
Could your business withstand the cost of a data breach and the time to process notifications to your book of business? Not to mention the loss of your business’s reputation.
Click the calculator image below to find out.
Protecting your client’s sensitive information is now one of the most critical responsibilities you face as a modern insurance agent and small business owner.
The cost of a data breach goes beyond loss of business, loss of reputation, and regulatory client notifications. According to ACT, independent agents could incur substantial penalties for not complying with required regulations of federal and state acts such as Gramm-Leach-Bliley Act ("GLBA"), the New York Department of Financial Services, and other emerging regulatory requirements that protect consumer information.
Take heed, the law that applies is not based on the state where the breach occurred or where the agent is located, but rather the jurisdiction of the person whose data was breached.
Penalties and the data breach communication requirements can vary by state, so consult legal counsel to assess your individual situation.
ACT, in cooperation with outside entities, has created an Agency Cyber Guide as a free tool for agents. It provides resources to comply with these 12 cybersecurity regulations:
1. Risk assessment
2. Written security policy
3. Incident response plan
4. Staff training and monitoring
5. Penetration testing/vulnerability assessment
6. Access control protocol
7. Written security policy for 3rd-party service providers
8. Encryption on non-public information
9. Designation of CIO
10. Audit trail
11. Implementing multi-factor authentication
12. Procedure for disposal of non-public information
NOTE: Some resources are free to agents through ACT and other entities while others cost money.
A cyber endorsement to your agents E&O policy isn’t enough to protect you against the vast cyber-related threats. Independent Insurance Agents are recommended to have a separate cyber liability policy.
While you need it, antivirus software is not enough.
Did you know that during a four-month long cyberattack on the New York Times by hackers from China, the NYT's antivirus software missed 44 of the 45 pieces of malware installed by attackers on the network?
"Seatbelts and airbags are wonderful protection and improve the safety of millions, but they will not stop a bullet fired -- say by a hired killer," said Jindrich Kubec, Avast's Threat Intelligence Director. "Does it mean you will stop using airbags and seatbelts?" (Source: money.cnn.com)
Make sure you have antivirus. But, make sure your expectations are realistic about what that software will stop.
“The solution," security experts say, "is to deploy technology that keeps a very, very close eye on what's happening inside your network. You can't always prevent attackers from getting in, but you can at least set tripwires to alert you when they do. The survival of your business’s future depends on it.” (Source: money.cnn.com)
Use Transport Layer Security (TLS) to secure electronic transfers of Personal Identifiable Information with carriers.
If an unsecured email is intercepted along the path to a carrier, allowing personal data to be read like an open postcard through the mail, “the agency would face a security breach creating a significant risk to the agency’s reputation and potential E&O exposure.” (ACT)
Standard email encryption services provide good protection, but it can be difficult to share encrypted emails between companies since different proprietary solutions are used. TLS provides a solution independently of the email user and protects information by transmitting the data and attachments through an “impervious TLS tunnel” (ACT).
TLS is built into most email gateways used today (MS Exchange/IBM Lotus Notes) and is simply “turned on” via a click of the mouse.
“In this day and age of focus on security, all email gateways and servers should be configured to use TLS if it is available. Encourage your carriers to provide you the TLS option for secure email... TLS is a security manager’s dream solution—one that requires no work on the part of the end user yet protects email content." (ACT)
Deploying a comprehensive cybersecurity program takes time and resources. It’s a whale of a task. But you can eat a whale one bite at a time. Protecting your office and clients’ PII is no different. Tackle it one byte at a time.
HawkSoft has assembled a 10-point Cybersecurity Checklist by scouring our industry’s top resources. The checklist will help you start a step-by-step process to implement data security measures. We’ve also highlighted 5 Top Picks that you can easily do right now to make your agency more protected, like following a new trend to increase password strength. (Here’s a little comic relief on this very subject: Password Strength.)
The important thing is to start. Independent agents need to make security compliance a priority. It may be required in your state, and you can use your preparedness as a competitive advantage when speaking with prospective clients. This is one bandwagon independent agents don’t want to miss.
Image Sources: Shutterstock
