The Unavoidable Business Risk for Brokers and Agents
By James Harrison
Data breaches, like taxes, are inevitable. No business or organization is immune. Dealing with cyber threats and staying compliant with government and industry requirements is now an inherent risk of doing business for insurers, brokers, agents and other related businesses. While some in insurance and financial services have recently awakened to this reality, most still have significant work to do to protect themselves and their clients.
In today’s digital age, maintaining a formalized information security plan and staying compliant with federal, state and industry data breach regulations has not only become an essential management practice, but possibly a matter of survival. Here’s why:
Insurance Industry Targeted
The insurance industry is highly targeted by cyber criminals because of the valuable personal, financial and health related information handled on a daily basis, and also because agents and agencies are often the most vulnerable and least prepared to prevent or respond to cyber-attacks.
The insurance industry has been rocked over the last two years by the continual onslaught of data breaches resulting in well over 100 million American’s personal and healthcare data exposed, most notably with the hacks of Anthem, Premera and Excellus. Making things worse for brokers and agents, criminals are increasingly looking to access larger businesses by working in through their benefits provider/insurance agent, law firm, accountant or other service provider.
This is putting increased pressure on the insurance industry to not only meet new client expectations for data privacy, but to also comply with government and industry standards for protecting confidential information.
A New Age, New Client Expectations
Regardless of the type of insurance you provide, your clients expect you to keep their personal and confidential information private and secure. Business clients in particular are becoming increasingly concerned about security risks with third party service providers, such as their insurance agency, and may require agents or brokers to answer lengthy security questionnaires about their cybersecurity and risk management practices before doing business.
If you haven’t already begun receiving information security assessments, including requests to sign information security agreements, be assured this is the future of building and maintaining client relationships. It’s ironic that after years of worrying about “differentiation” and what makes one agency somehow better than another, gaining and keeping clients may boil down to a measurable distinction between the firms that might get hacked and the firms that might not.
Firms that are serious about their business are taking this expectation seriously, including obtaining security and compliance certifications based on regulatory and industry standards. Some agencies are now starting to promote this type of security certification in marketing materials and client pitches.
Federal and State Regulatory Requirements
In addition to client expectations, confidential and sensitive information such as Social Security number, date of birth, financial information, health insurance and healthcare information handled by agents and brokers must be properly protected under various federal and state laws.
Well-known examples of federal laws include HIPAA-HITECH and GLBA that require healthcare related and financial services organizations to implement specific safeguards to protect confidential information. This includes insurance companies, agencies and producers as either a “covered entity” or third party “business associate.”
It’s also important to note that 47 states have enacted statutes that protect the personally identifiable information (PII) of consumers and businesses within their state. These state laws require any organization doing business in the state to properly secure the PII of their citizens. Most state laws also include specific requirements for breach response, including reporting data breach incidents, notifying affected persons, and victim remediation. Agencies in these states, or who have customers in these states must comply with the respective state laws or face civil and/or criminal penalties.
Insurance Industry Standards
While the National Association of Insurance Commissioners (NAIC) has consistently advocated for better information security standards for the industry, in coming months, the NAIC is set to finalize a comprehensive Model Law that establishes the exclusive industry standards for data security and breach response. This will apply to all insurance licensees, which includes not just insurers, but agents, brokers and other parties.
The NAIC’s model law requires all licensed persons and organizations to create a comprehensive written information security program that details the administrative, physical and technical safeguards for protection of personal information, including a breach response plan. It would also require owners and boards of directors to approve and oversee implementation of the program and compliance with the law. The model cybersecurity standards are aimed at encouraging state insurance regulators to incorporate these elements into their regulatory framework.
Brokers and agents alike can no longer claim ignorance on this matter and must take responsibility for ensuring compliance with both government regulatory and industry requirements.
10 Cybersecurity and Compliance Best Practices
The development, implementation and ongoing management of your information security plan should follow the standards and best practices outlined in federal, state and industry requirements. Here’s a good checklist to use as a starting point:
- Management commitment, creating a culture of security
- Conducting regular security risk and compliance assessments
- Creating and maintaining information security policies and procedures
- Implementing necessary cybersecurity technology and defenses
- Conducting regular security vulnerability assessments
- Providing security awareness training for all personnel
- Managing third party service provider/vendor risks
- Having a breach incident response plan
- Obtaining appropriate cyber-liability insurance
- Getting third-party compliance certifications
These components of an overall information security plan are applicable not just for insurers, brokers and producers, but for virtually any business. The failure to implement and maintain these essentials can significantly reduce your legal defensibility in the event of a data breach incident. It’s important to also remember that cybersecurity and compliance is not a one-time event, it’s an ongoing process.
Unfortunately, data breaches are an unavoidable business risk and have created a new business management responsibility. The first step to protecting your clients and managing this risk is to assess where you stand today. Where are your current vulnerabilities? What regulatory, legal and industry requirements are you not adequately following or failing to address altogether?
You may have to admit to yourself you are not an expert in cybersecurity or data breach compliance and unqualified to handle this alone. If you do not have the inside expertise in cybersecurity and compliance management – get outside help.
You may want to consider outside experts anyway, as they likely have more experience and a broader array of tools and resources. Take a comprehensive view of data breach prevention and compliance, and make sure you have the right people doing the right job for you right now.