Cybersecurity is a big topic with many aspects to consider. This article aims to bring clarity about three areas of cybersecurity as it relates to independent insurance agencies. In that spirit, the article is written in three parts to allow you to skip directly to the part that you are interested in.
Part I. Understanding the Threat of Cyber Breaches explores the current state of cybersecurity worldwide, the pace of breaches, and the tangible costs of breaches. Click here to jump to that section. (Jump to Part I)
Part II. What Does This Mean for the Independent Agent analyzes how cybersecurity and breaches impact independent agents. We have provided a data breach calculator to estimate how much one breach can cost your agency. (Jump to Part II)
Part III. How to Protect Your Agency from Hackers offers action items and resources that your agency can apply today to protect itself. We’ve assembled a 10-point checklist you can use to protect your agency. You can also share this checklist with your policyholders and show prospective customers how your agency is being proactive in fighting cybersecurity threats. (Jump to Part III)
2017 is on pace to be the worst year for cybersecurity, says InfoWorld.
We’re all aware of the recent Equifax scare (and since we started drafting this article, they’ve been hit again!). Did you even know of these other victims?
- Dun & Bradstreet
- Dow Jones & Company
- Saks Fifth Avenue
….and the list goes on. (Source: Idtheftcenter.org)
Most disturbing is that many of the recent large breaches occurred years ago with IT teams only recently discovering or disclosing the damage. InfoWorld says we may never know the extent of the true damage because the vast majority of incidents are never reported.
In the past, hackers prided themselves by breaking into single systems. Today, their mission is all encompassing, including the cloud.
What’s the cost of data breaches?
Leading market analyst, Juniper Research, estimates that cybercrime will cost businesses over $2.1 Trillion globally by 2019, almost quadrupling the estimated cost of breaches in 2015.
IBM Security sponsors a study conducted by Ponemon Institute, the 2017 Cost of Data Breach Study. The study presents some interesting findings.
- Average total cost of a data breach is $3.62M for the 419 companies participating. This is a 10% decrease from 2016 to 2017. Despite the decline in total costs, the scope of the data breaches (number of records lost or stolen) increased by 1.8%.
- Companies in the United States and Canada spent the most to resolve a malicious or criminal attack, at $244 and $201 per lost/stolen record containing sensitive and confidential information, respectively.
- Health care organizations and financial services saw average costs of $380 and $245 per record, respectively.
- System glitches cost $128 per record.
- Human error or negligence costs $126 per record.
- Hackers and criminal insiders caused 47% of all breaches.
It means your professional livelihood could be severely affected or destroyed if you do not implement cybersecurity measures.
The Agents Council for Technology (ACT) has summarized the findings of the 2016 Agency Universe Study (conducted by IIABA, an independent research firm, and independent agencies). The study shows cyber concerns are now at the top of every agent’s technology list. Statistics show that 50% of small and medium-sized businesses suffered a cyberattack in 2016.
Despite these concerns, few have implemented security measures.
- 61% of agents saw a need for an agency cyber liability policy
- Only 34% of agents have a written security policy
- Only 23% of agents have a written disaster recovery plan
The plethora of information floating around on cybersecurity is overwhelming. We get it. It’s almost too much to even think about. Why should you even worry about it as a small business?
Answer: Because, if the Big Boys aren’t safe from malicious cyber attacks, neither are you.
Skip the donut shop – criminals go for the PII jackpot
Serious criminals are now more likely to skip the local donut shop, which provides them with just credit card information, and go straight to the sugar factory – the financial sector. This sector not only has credit card information, but also a treasure trove of Personal Identifiable Information (PII) like bank account numbers, addresses, social security numbers, driver license numbers, dates of birth, and personal health information. Does this data sound familiar? It’s everything that your insurance agency stores for their policyholders.
- Lone Wolf Hacker – could be your nosy neighbor across the street or someone clear on the other side of the world. Just being on the internet makes you the wolf’s sheep.
- Employees – While it's more about those who have left your company, even trusted hires can be subject to employee negligence. A report from Ipswitch states 84% of employees are using personal email to send sensitive files, and more than 50% expose company files or data by uploading to a cloud-based service such as Dropbox.
- Mobile Devices – Insurance agents are heavy telecommuters, making their clients' PII very vulnerable when accessing the office network through an unsecured wireless network.
- Third-Party Service Providers – Your clients’ sensitive data is transferred over the internet to third-party companies, putting it at risk of hackers looking to intercept data.
Specific cyber risks that need to be managed
- Identity theft - sensitive PII is stolen by a hacker or inadvertently disclosed by your office.
- Business interruption from a hacker shutting down a network.
- Damage to the firm’s reputation.
- Costs associated with damage to data records caused by a hacker.
- Theft of valuable digital assets, including customer lists, business trade secrets, and other similar electronic business assets.
- Introduction of malware, worms, or other malicious computer code.
- Human error leading to inadvertent disclosure of sensitive information, such as an email from an employee to unintended recipients containing sensitive business information or personal identifying information.
- Cost of credit monitoring services for people impacted by a security breach.
- Lawsuits alleging trademark or copyright infringement.
The small agency myth
Owners of small businesses often say they don’t have the money, time, or infrastructure to invest in cyber liability insurance. But have you ever considered the cost of not having cyber protection?
"Contrary to popular belief, smaller businesses actually have 'all the more reason why they should buy the coverage—they don’t have the assets to protect themselves and cover their bottom line.'"
Executive Vice President, A.J. Wayne & Associates, Inc.
Insurance Broker, Chicago, IL
All states but two (Alabama and South Dakota, as of the date of this writing) have cyber breach notification laws. This is good news for the customer, but creates complexity for the independent agent who has to understand and comply with each state’s distinct cyber breach laws. If you do business in any of these 48 states, you may be at risk of being fined if you don't have a cybersecurity plan. Studies show you are at risk of spending anywhere from $1,000 - $100,000 per incident. And according to Ponemon Institute the average price for small businesses to recover after a hack stands at $690,000 (Source: ACT).
Could your business withstand the cost of a data breach and the time to process notifications to your book of business? Not to mention the loss of your business’s reputation.
Click the calculator image below to find out.
It’s David against Goliath.
But the little guy can win.
Protecting your client’s sensitive information is now one of the most critical responsibilities you face as a modern insurance agent and small business owner.
Avoid penalties by complying with Federal and State Acts
The cost of a data breach goes beyond loss of business, loss of reputation, and regulatory client notifications. According to ACT, independent agents could incur substantial penalties for not complying with required regulations of federal and state acts such as Gramm-Leach-Bliley Act ("GLBA"), the New York Department of Financial Services, and other emerging regulatory requirements that protect consumer information.
Take heed, the law that applies is not based on the state where the breach occurred or where the agent is located, but rather the jurisdiction of the person whose data was breached.
Penalties and the data breach communication requirements can vary by state, so consult legal counsel to assess your individual situation.
ACT, in cooperation with outside entities, has created an Agency Cyber Guide as a free tool for agents. It provides resources to comply with these 12 cybersecurity regulations:
1. Risk assessment
2. Written security policy
3. Incident response plan
4. Staff training and monitoring
5. Penetration testing/vulnerability assessment
6. Access control protocol
7. Written security policy for 3rd-party service providers
8. Encryption on non-public information
9. Designation of CIO
10. Audit trail
11. Implementing multi-factor authentication
12. Procedure for disposal of non-public information
NOTE: Some resources are free to agents through ACT and other entities while others cost money.
A cyber endorsement to your agents E&O policy isn’t enough to protect you against the vast cyber-related threats. Independent Insurance Agents are recommended to have a separate cyber liability policy.
While you need it, antivirus software is not enough.
Did you know that during a four-month long cyberattack on the New York Times by hackers from China, the NYT's antivirus software missed 44 of the 45 pieces of malware installed by attackers on the network?
"Seatbelts and airbags are wonderful protection and improve the safety of millions, but they will not stop a bullet fired -- say by a hired killer," said Jindrich Kubec, Avast's Threat Intelligence Director. "Does it mean you will stop using airbags and seatbelts?" (Source: money.cnn.com)
Make sure you have antivirus. But, make sure your expectations are realistic about what that software will stop.
“The solution," security experts say, "is to deploy technology that keeps a very, very close eye on what's happening inside your network. You can't always prevent attackers from getting in, but you can at least set tripwires to alert you when they do. The survival of your business’s future depends on it.” (Source: money.cnn.com)
Secure your email with TLS
Use Transport Layer Security (TLS) to secure electronic transfers of Personal Identifiable Information with carriers.
If an unsecured email is intercepted along the path to a carrier, allowing personal data to be read like an open postcard through the mail, “the agency would face a security breach creating a significant risk to the agency’s reputation and potential E&O exposure.” (ACT)
Standard email encryption services provide good protection, but it can be difficult to share encrypted emails between companies since different proprietary solutions are used. TLS provides a solution independently of the email user and protects information by transmitting the data and attachments through an “impervious TLS tunnel” (ACT).
TLS is built into most email gateways used today (MS Exchange/IBM Lotus Notes) and is simply “turned on” via a click of the mouse.
“In this day and age of focus on security, all email gateways and servers should be configured to use TLS if it is available. Encourage your carriers to provide you the TLS option for secure email... TLS is a security manager’s dream solution—one that requires no work on the part of the end user yet protects email content." (ACT)
Take Action. Get started with the Cybersecurity Checklist.
Deploying a comprehensive cybersecurity program takes time and resources. It’s a whale of a task. But you can eat a whale one bite at a time. Protecting your office and clients’ PII is no different. Tackle it one byte at a time.
HawkSoft has assembled a 10-point Cybersecurity Checklist by scouring our industry’s top resources. The checklist will help you start a step-by-step process to implement data security measures. We’ve also highlighted 5 Top Picks that you can easily do right now to make your agency more protected, like following a new trend to increase password strength. (Here’s a little comic relief on this very subject: Password Strength.)
The important thing is to start. Independent agents need to make security compliance a priority. It may be required in your state, and you can use your preparedness as a competitive advantage when speaking with prospective clients. This is one bandwagon independent agents don’t want to miss.
Image Sources: Shutterstock