An agency can no longer get away with not having an in-depth cyberattack prevention plan. To survive increasing cyber threats, your agency must take action now—here’s how.
There's never been a better time to be an independent insurance agent. With the plethora of technology and workflow solutions to create the most efficient tech array possible, independent agents are now able to serve consumers the way they want to be served, when they want—and agencies can greatly increase their geographic reach in the process.
The volume of functionality is amazing: management systems, customer relationship managers, lead and prospecting tools, quoting platforms, mobile apps, chat, website, marketing, Voice over Internet Protocol (VoIP) and so much more. Agencies have more options than ever to customize their operation.
And yet, with every tech implementation, there are countless cybersecurity concerns. Gone are the days of quickly opening any email without closely scrutinizing it or freely sharing identifications and passwords. An agency can no longer get away with not having an in-depth cyberattack prevention plan.
Bad Actors
What's even more concerning? Gone are the days when we could kid ourselves that the nefarious cybercriminals are more focused on hacking a big box store than a local independent agency. The U.S. is the focus of more cyberattacks than any other country, and the insurance industry is one of the top targets. Risk-Based Security's “2021 Mid-Year Breach Report" revealed that the insurance industry is now the second-most targeted, accounting for 16.93% of all breaches.
And if just under 17% of all breaches doesn't sound like much, consider that in the first quarter of 2021, there were 18.88 billion records lost to breaches, according to Risk-Based Security's report. None of us needs to do the math to understand that 17% of 18.88 billion is a significant number—but if you're curious, it's 3.21 billion.
Ransomware holds the spotlight for cyber intrusions. Ransomware attacks increased 151% in the first half of 2021 compared to the same period in 2020, with 3.47 million attempted attacks, according to a SonicWall report. Add to this the rise of social engineering attacks, primarily via phishing and other email ploys, which rose 270% in 2021, according to SlashNext Threat Labs.
The bad actors gain access with ransomware or by introducing an initial system compromise through a virus or Trojan horse. They then establish a foothold by using their access to escalate their administrative privileges to further search computers and networks for valuable information, such as personally identifiable information (PII). After expanding their presence, they complete their mission of extracting the stolen information. Keep in mind, this can be months after the initial hack. On average, it takes a business 212 days to identify a breach, according to IBM's "Cost of a Data Breach Report 2021."
Beyond the potential of losing clients because of the reputational damage, data breaches carry a high cost. One of the major costs is response and remediation. Small business data breaches cost an average of $180 per record of customer PII, according to IBM's report.
The costs associated with a breach can be mitigated by carrying cyber liability insurance, but there are still costs to businesses. And post-breach, if any business is found not complying with state and federal cyber regulations, there can be civil penalties, which vary by state.
Know the Rules
The volume and complexity of data breaches are driving the growing number of cybersecurity acts and laws. It started with the Gramm-Leach-Bliley Act (GLBA) and now includes the New York Department of Financial Services (NY DFS), the California Consumer Privacy Act (CCPA) and the NAIC Model Law, which was adopted by 11 states as of December 2021.
To understand the laws applicable in your state go to Mintz Matrix, which details statutes in every state, its definition of a data breach, procedures, breach notification regulations and potential penalties for noncompliance with the regulations before and after a breach.
Based on the size and gross annual revenue of your agency, you may be able to file for a regulatory exemption, so be sure to understand your state's regulations. However, even if you qualify for an exemption, some steps still make sense to pursue, such as a vulnerability assessment and data encryption.
The laws create a maze of regulations that agencies must comply with, but we must do everything we can to protect our customers' valuable PII and our businesses.
Are You Covered?
Understanding your agency's and your customers' cyber coverage needs is key. The Big “I" has a partnership with Coalition, a leading technology-enabled cyber insurance solution, to give agents access to cyber and technology errors & omissions insurance markets. Coalition provides an online quoting process as well as ongoing monitoring.
To protect your business, your agency needs cyber liability insurance. Several companies sell cyber liability insurance, and your agency may already work with some of these. But be aware that the cyber liability market is hardening and rates are rising thanks to the growing volume of breaches and increasing breach financial impact. On average, rates have doubled since the surge in ransomware attacks began, and rising reinsurance costs will drive further rate hikes. As a result, the coverage is in demand. In 2020, the U.S cyber insurance market expanded to $4.1 billion in direct written premium, an increase of 29.1% over the previous year, according to the NAIC.
Taking all this into account, it is critical to obtain cyber liability insurance for your agency—and now is the time.
Prep Steps
How can your agency mitigate cyber risks? A thorough cybersecurity risk assessment is the first step. It's no small task, but it sets your agency up for success and lays out a clear path for a robust cybersecurity plan. The primary purpose of a cyber risk assessment is to keep stakeholders informed and support proper responses to identified risks. The risk assessments also provide an executive summary to help executives and directors make informed security decisions.
The assessment answers the following questions:
- What are the organization's most valuable information technology assets?
- What impact would a major data breach have on the business— whether from malware, social engineering or human error? One very common answer is customers' PII.
- What is the level of the potential impact of each identified threat?
- What are the internal and external vulnerabilities?
- What happens if those vulnerabilities are exploited? How likely would this be?
- What cyberattacks, cyber threats or security incidents could impact the ability of the business to function?
- What is the level of risk the organization is comfortable taking?
What Next?
After your agency has assessed its risk, the next steps include developing a Written Information Security Plan (WISP) and a response plan in the event a breach has been confirmed, as well as continuous staff security training.
That last component cannot be stressed enough. A business may have all the protection possible implemented in the form of firewalls, antivirus programs and real-time intrusion detection, but all can be lost if a staff member opens an email and clicks on a malicious link. This applies to frontline customer service representatives all the way up to agency ownership.
5 Cyber Resources
Resources are available for independent agents from Big “I" national and state associations. The Big “I" Agents Council for Technology (ACT) provides free resources for all Big “I" agent members across many types of technology and workflow topics.
Here are five resources you should take advantage of before it's too late:
1) “Agency Cyber Guide 3.0." ACT's “Agency Cyber Guide 3.0" breaks down the trends and provides a “12-Step Compliance Roadmap." It lays out areas of compliance, such as completing a risk assessment, and direction on how and where to get started.
The “12-Step Compliance Roadmap" includes more details on the following 12 cyber regulation steps as laid out by the GLBA and the NAIC:
- Risk assessment
- WISP
- Incident response plan
- Staff training and monitoring
- Vulnerability assessment and penetration testing
- Access control protocol
- Written security policy for third-party service providers
- Encryption of non-public information
- Designation of a chief information officer (CIO)
- Audit trail
- Implementing multi-factor authentication (MFA)
- Procedure for disposal of non-public information
2) “Agency Cyber-Readiness Self-Assessment." It can be difficult to know where your agency currently stands. ACT created an easy-to-use “Agency Cyber-Readiness Self-Assessment." By answering eight questions, you can determine your next strategic steps in your cybersecurity plan.
3) WISP. A Written Information Security Plan (WISP) is a document that details policies and procedures for ensuring confidential data is protected, how it is being protected and who is ensuring it is protected. A WISP includes both administrative and technical safeguards that an agency or small business has in place. ACT also provides a downloadable WISP.
4) “Remote Work Security Guide." The coronavirus pandemic demonstrated that every agency must be fully prepared for remote work and the cybersecurity challenges it presents. Access ACT's “Remote Work Security Guide," which provides a template outlining areas to cover.
5) Cybersecurity providers. Check out the matrix of cybersecurity providers in ACT's “Agency Cyber Guide 3.0." These are providers that agencies can partner with to assist assessment, planning and implementation. However, don't fall into “analysis paralysis." Immediate action is critical. Know that the Big “I" and ACT have your back on cybersecurity planning and execution. You can always find help on the Big “I" and ACT websites.
Ron Berg is executive director of the Big "I" Agents Council for Technology (ACT).