Data security is a hot-button issue in a world with technology that evolves faster than the legal system. Although employees are often warned of the dangers of opening sketchy emails or keeping similar passwords, cybersecurity conversations are often quite limited and weak compared to the profound number of existing security threats. Much of the onus is on the employer to ensure that their organization follows standards to keep employee and client data safe — both online and in the office.
The Applied Net 2018 session, “Technologies to Implement to Help You Better Comply with Regulations,” was devoted to navigating these complicated waters. The expert panel, moderated by David Gerlach, vice president of information security and data protection officer at Applied Systems, included the following panelists: Collin Passman, IT coordinator at The Signature B&B Companies, and Shaun Lopez, chief information security officer and manager of information systems at Millennium Alliance Group, LLC. Passman and Lopez both work within the confines of the New York Department of Financial Services’ cybersecurity rules, known to be some of the strictest and most thorough regulations in the country.
The panel offered some key advice for protecting insurance agencies and brokerages from data security lawsuits and charges. For those who didn’t attend, here’s what you need to know.
Learn Your State’s Rules
It is critical for your business to minimize the risk of a data security breach and the gargantuan fines that pile up after a failed inspection or audit. Said Passman, “Fines can be anywhere from $500–$1,000 per offense. If they find 10 things wrong, that’s $10,000 you have to forgo, and then you've got a target on your back.” Save yourself the money and trouble by learning the compliance requirements and resources in all of the locations where your company does business. One option is to hire a good cyber attorney or a data security consultant to assist with and implement a compliance program.
Where do you go to find state-specific regulations? Passman advised seeking out your state agent’s association, as they should have advanced knowledge of what is required for your area (membership is often required). Insurance carriers, he added, will not know about data security compliance, and he did not recommend asking them for help.
All of the panelists noted that much of this information is available online. Check with your state department of finance, attorney general website, broker’s association websites, etc., to gain access to the rules and requirements by which your organization needs to comply. Insurance agencies connected to banks may have an advantage because the rules are often the same. Something important to keep in mind: The number of items by which your organization is required to comply may vary depending on the size and number of assets. Lopez recommended printing off all of the rules and creating a checklist in order to ensure that all areas of compliance are met.
Consider Your Third-Party Resources
Even if your organization is doing everything it can to stay compliant, you might still be at risk. How secure are your third-party platforms and partners? Everyone that has access to your company’s data —and your client’s data — has to comply with the state’s data regulations.
Gerlach assured that Applied Systems, on their end, is compliant, “but you need to configure your agency to be compliant on your own side.” Legally, as long as you are in control of your data, you need to be compliant. However, in the Applied Cloud, the data is no longer in your control; that is the demarcation line. If your company does a bulk data extract — pulling it down from the database and hosting it locally — you once again assume the responsibility. Thus, Gerlach explained, a data breach happening at the cloud level would be an Applied System’s breach, not your own. Learn more about Applied Cloud and data security in this eBook.
This raises the question of how to ensure that you are working with compliant partners and systems. Passman and Lopez both recommend asking all third-party resources if they have a compliance program and policy in place, and what their policy is. You can even ask them to send you the policy. If they do not have one or refuse to disclose, you might want to look into other providers.
Maintain Safe Security Protocols Company-Wide
Even regulatory bodies recognize that making moves toward total compliance takes time. If you are in the process of getting audited, you will need to show the steps your company is taking to create a fully-compliant environment. Passman advised getting a strong “understanding of all the dates and times things need to be in place,” and creating a plan for execution that stems from that.
The panel noted that insurance agencies have an employee base that is more susceptible to cybersecurity mishaps based on the fact that almost all are trained to help. The employer must do everything in its power to support employees and prevent them from making crucial mistakes, e.g., downloading viruses from bad emails or USB drives. Some things to consider include better password maintenance (employees change passwords every 60–90 days, two-factor authentication, required password manager software, etc.), quarterly email phishing tests, rules around application downloads to work-issued devices and policies for wiping phone data when an employee leaves the company.
Resources at Your Fingertips
Preparing for a regulatory audit can be overwhelming and time consuming, but there are a lot of resources available that can help. If you need help with something specific, don’t forget that the Applied Client Network forums are just a click away. Gerlach also noted that Applied Systems has some great resources to help insurance agencies with their data security mandates. Talk to your Applied Systems sales representative or customer support to learn more about its due diligence package.