In the past few years, tremendous regulatory developments have taken shape in the realm of cybersecurity, fiduciary responsibility and legal liability for licensees. Starting with the State of New York’s Department of Financial Services (NYDFS) Cybersecurity Requirements and ending with the National Association of Insurance Commissioners (NAIC) Model Law. Beginning in just a few weeks this March, entities are required to file their cybersecurity plan.
The regulation requires companies to set up and maintain a cybersecurity program to protect the private data of clients. Smaller companies may be eligible for a limited exemption. If you are licensed in New York, you will be covered by this regulation.
Even if you’re not licensed in New York, having a security plan in place is still critical. Your state may not yet have a regulation on cybersecurity. But your state has the laws on data infringement. And there are other regulations that have been around for years that address privacy and security concerns such as: HIPAA, HITECH and Gramm-Leach-Bliley Act.
Cybersecurity guide for independent insurance agents
Why is cybersecurity important?
It’s not just retailers and financial institutions like Target, Chase and JP Morgan that are experiencing data breaches. It’s also happening in the insurance industry.
“Within any role in the organization, learning about security can help an individual understand the risks and make informed decisions for their key stakeholders,” says Pavi Ramamurthy, senior manager of information security at LinkedIn.
Like what, you ask? Here are a few of Ramamurthy’s examples:
- In sales, reassure customers of an organization’s security position.
- In communications, assess in the context of business reputation and brand trust.
- Regarding HR and/or security, know what’s needed for better training and security awareness.
- IT professionals should perform reviews and quality assurance tests for functional and security verification.
- Management should ensure that a good security incident response plan is in place to address any vulnerabilities.
How to do a Cybersecurity Risk Assessment?
There are different levels of risk assessment, and fortunately, a comprehensive security analysis can be performed on your own. There is no shortage of cybersecurity companies specializing in testing clients for vulnerability and risk assessment. These services can be expensive and not cost-effective if you are a small business with a small network.
However, even if you are a small entity, it may not always be a good idea to do the risk assessment on your own. “If companies do not have the experience, tools or team to conduct a thorough and accurate risk assessment and are simply trying to save costs by doing so themselves, they may experience increased costs in the future when a hack or data breach that could otherwise have been prevented occurs,” said Keri Lindenmuth, Kyle David Group’s marketing manager. “Because of the financial implications, many small businesses do not recover from a data breach and end up closing their doors forever.”
If you are confident that you and your staff have the collective expertise to conduct a risk assessment, the next thing you need to keep in mind is that when you look at your system, you need to be objective. Companies often overlook certain security aspects, as changing those things would cause too much disruption or it would cost too much to fix. If your results point to major holes in your network, you need to be willing to make major changes, nomatter the costs.
How to strengthen Cybersecurity in your agency?
You need to put together a set of comprehensive plans after assessing your risks to secure your data. This will also require timely inspections to ensure that your data stronghold is still there. It’s better for your agency and your future to have a plan in place.
There are three things you need to create as part of a cybersecurity program:
- Information security plan
- Data breach response plan
- Third-party standards for your vendors
You can read more about incorporating cyber security for small businesses here.
You will also need to train your employees in addition to the plans and standards. you have set. Help them understand that this is a serious and an important issue. Show them what they should do and what they should look for. Hold them accountable to your security plan.
Conduct regular tabletop exercises. This is when you meet in order to practice your plan and discuss a simulated emergency situation. Review your plans once or twice a year to ensure that they remain up-to-date with new technology, threats, etc.
A plan might be excellent but it doesn’t mean anything if you don’t implement it. Take the time to protect your agency and your clients by creating a cybersecurity program. It may be the difference between success and failure of your business.