Being as small businesses are most often the target of cybercriminals, you must ensure you are armed with a proper cybersecurity plan for your insurance agency. In these twelve quick steps, we teach you how to get your insurance agency ready to be protected from these criminals.
- Do a risk assessment.
A risk assessment identifies hazards that could negatively impact your agency’s ability to do business. This will help you identify business risks and acquire and provide ways to reduce these risks’ impact on the agency’s operations. A mitigation checklist should be included when you perform this assessment.
- Create a written security policy.
A security policy is a document that states how your insurance agency plans to protect its physical and technological assets. This can also be called the written information security policy (WISP). This should detail your insurance agency’s operations for security, governance, inventories, controls, continuity, disaster planning, and systems monitoring. Include both internal and external mitigation policies.
- Craft an incident response plan.
This is an organized approach to addressing and managing a security breach or attack (known as an incident). The end goal is to handle the situation to limit the damage and have a short recovery time and cost. It is also essential that this incident response plan complies with federal and state regulations, including communications to the state superintendent upon detecting a cybersecurity event and contacts to customers, insurance carriers, and any third-party service providers.
- Train and monitor your employees.
You must ensure your employees are appropriately trained and supervised. One misstep by personnel at an insurance agency can leave data exposed due to malware, phishing, or other incursions. Regardless of your insurance agency’s size, always ensure your staff is adequately trained on cybersecurity risks.
- Conduct penetration testing & a vulnerability assessment.
Also called pen testing, penetration testing is the process of testing a computer, web app, or network to find any vulnerabilities that a cybercriminal could exploit. This should be done annually, internally, and externally. Done biannually, the process of a vulnerability assessment defines, identifies, and classifies the security holes in a computer, network, or communications infrastructure.
- Have access control protocol.
This response to regulations requires restricted access to nonpublic information such as PII (personally identifiable information), PHI (protected health information), and PCI (payment card industry data security standards).
- Create a written service policy for any third-party service providers.
It is essential to have written policies and procedures that ensure the security of information systems and nonpublic information accessible to or held by third-party service providers. This is an evolving issue, with more guidance to come.
- Encrypt nonpublic information.
Encryption is encoding a message so that the sender and intended recipient can only read it. Nonpublic information is any information that is not publicly available and, in terms of insurance, refers to PII, PHI, and PCI. The regulation explains the need to encrypt and protect this data when storing and transferring it between the insurance agency and clients, such as in email.
- Designate a chief information officer (CIO)
Required by the New York Department of Financial Services for some agencies who do business in NY, this role is nationally also viewed as “data security coordinator.”
- Have an audit trail.
Also known as an audit log, an audit trail is an electronic trail that documents a transaction step-by-step. This enables the examiner to trace the ledger’s financial data to document such as invoices, receipts, or vouchers. Having an easy-to-follow audit trail indicates good internal controls. For insurance agencies, an agency management system often provides a good foundation for an audit trail.
- Use multi-factor authentication.
MFA (multi-factor authentication) requires more than one authentication method from different types of credentials to verify a user’s identity for a login or transaction. An example of this is a policyholder logging into your website, and the website requests they enter an additional code or one-time password that was sent to their phone or email.
- Have a procedure for disposal of nonpublic information.
Like encryption, this policy refers to all electronic information not publicly available, such as PII PHI and PCI. Improper document destruction can be the downfall of small business security. Regulations vary from state to state, but agents doing business in more than one state should always uphold the highest requirements. Keep in mind; there is a difference between complete disposal of information and deletion.
Disclaimer: If you are not comfortable doing this yourself or do not have someone at your agency who is – you can always contact a specialist or professional in the cybersecurity field who can help you.
If you need help finding a professional or want to know how you can better get started taking care of your agency’s cybersecurity – contact the professionals at Agent Pipeline today at 800.962.4693