The CrowdStrike IT outage that crashed millions of Windows systems in July was not a cyberattack. But it did deliver stark, sobering evidence of the consequences of our digital interconnectedness. All of us rely on digital tools for our personal and business livelihoods. When we lose access to our digital infrastructure, chaos follows—even if only temporarily.

That is why no insurance agency is an island to itself but is dependent on its carriers and vendors for vital services. Ask any agent whose agency management system (AMS) went down during the outage.

Cybercrime, however, poses a bigger threat to agencies than the occasional outage. Artificial intelligence (AI) has powered a new wave of cybercrime that now rivals the illegal drug trade, and cybercriminals see agencies as tempting targets. Why? First, agencies can serve as conduits to the data of carriers and vendors. Second, crooks know that agencies, like other small businesses, have fewer defenses to prevent ransomware attacks, business email compromise, wire transfer fraud and other schemes.

What does this have to do with agency agreements? Insurance companies see the same landscape as the cybercrooks. Carriers are growing concerned that agencies are not doing enough to harden their cyber defenses to stay ahead of the bad actors who use AI to launch more frequent and effective cyberattacks every day.

Agency agreements underwent significant changes several years ago, including language requiring adherence to data security regulations in the states in which they do business. In extreme cases, carriers reserved the right to conduct cybersecurity audits of vulnerable agencies. Today, agency agreements are being tightened yet again to include requirements to follow higher data security standards and best practices. Specific changes vary from company to company and some have not issued any changes yet. However, the trend toward more oversight is unmistakable.

One common change is the requirement that agencies notify the insurer of a data breach within 24 hours and include as much detail as possible. One example reads:

Each party will notify the other without undue delay, but in no event more than 24 hours after discovery of a cybersecurity breach or a possible cybersecurity breach in which the other's confidential information is or is suspected to have been lost, stolen, improperly altered, improperly destroyed, improperly used, or improperly accessed.

Another example reads:

The parties agree to safeguard data according to all commercially reasonable administrative, physical, and technical standards and in accordance with applicable laws and regulations. Additionally, the parties agree to reasonably comply with due diligence and periodic security assessment requests that are needed to confirm its security practices.

Insurers are also raising the bar for cybersecurity standards. One example says:

You agree to distribute privacy disclosures to applicants and holders of our policies and accounts in accordance with such laws and as required by us. You further warrant to maintain security safeguards to protect customer information that matches or exceeds standards for insurance agents.

Further revisions by insurers may require agencies to specify best practices already required in cyber insurance policies, such as immediate application of security patches, multifactor authentication (MFA) across an agency's entire network and managed detection and response (MDR).

Tom Wetzel is CEO of Thomas H. Wetzel & Associates, an insurance digital marketing firm for agents that focuses on AI and cybercrime. He has spoken at many Big “I" conventions and serves on the faculty of the Academy of Insurance.