The internet has brought us many great things. Cute cat videos. Easier communication across long distances. Entertainment and shopping at our fingertips.
But, the internet has also brought an increased amount of risk and not just for consumers. Businesses are at risk now more than ever for data breaches, phishing scams and more. The insurance industry is no exception.
It was only a matter of time before we saw regulations for cybersecurity get enacted. And, in case you missed it, the first such regulation took effect in New York on March 1.
The NY Cybersecurity Regulation
The New York State Department of Financial Services put forth a cybersecurity regulation that is the first of its kind in the country. It contains mandatory standards for the financial services industry in the state, including insurers, agents and brokers.
The regulation requires these businesses to establish and maintain a cybersecurity program to protect individuals’ private data. Smaller businesses may qualify for a limited exemption.
If you are licensed in New York, this regulation applies to you. (Check out this helpful page from IIABNY for what to do.)
Even if you’re not licensed in New York, it’s still critical you have a security plan in place. Your state may not have a cybersecurity regulation. (Yet.)
But your state does have data breach laws. And, there are other rules and regulations that have been around for years that address privacy and security concerns: HIPAA, HITECH and Gramm-Leach-Bliley Act.
And, in the connected world we live in now, securing your clients’ data is just good business practice.
Why Cybersecurity is Important
It’s not just retailers and big banks that are experiencing data breaches. (Remember the breaches from Target, Home Depot and JPMorgan Chase?) It’s also happening in the insurance industry.
Your agency data is worth more than you think. You have a trove of information hackers would love to get. Think about what’s in your agency management system, comparative rater, and any other insurance agency software you use.
And if you do have a breach, what could happen?
• For your clients: If it exposed emails or phone numbers, they might be the target of phishing emails and scamming calls.
• For your clients: If it’s their Social Security numbers or birthdates, they may face fraud and/or identity theft.
• For you: There is financial impact. Fines, lawsuits, lawyer fees, cost of notifying your clients. Costs of improving your security after the breach.
• For you: If the financial impact doesn’t put you out of business, there is also reputational damage. According to a Forbes Insight report, 46 percent of companies have suffered reputational damage due to a data breach. Reputational damage can affect sales as reputations are critical to building relationships. And, in this industry relationships are crucial for your future success.
Being a small business doesn’t protect you from a data breach. It makes the impact to your business more severe because most likely you won’t survive the costs and damage to your reputation.
What You Can Do
Don’t wait until a regulation goes into effect to act. Whether you are licensed in New York or not, there are steps you need to take. More than likely you will do it anyway as other states watch what happens in New York.
Maybe your state doesn’t implement cybersecurity regulations. It’s still better for your agency and your future to have a plan in place.
There are three things you need to create as part of a cybersecurity program:
1. Information security plan
2. Data breach response plan
3. Third-party standards for your vendors
Get help assessing your risks and putting together your plans if you need it. Reach out to your state association to see what resources they have. Talk to your IT team.
Don’t Let Your Plans Gather Dust
Beyond the plans and standards, you will also need to train your employees.
Help them understand it is an important and serious issue. Show them what to do and what to watch for. Hold them accountable to your security plan.
Conduct regular tabletop exercises. This is when you meet and discuss a simulated emergency situation to practice your plan.
Review your plans once or twice a year to make sure they stay up to date with new technology, threats, etc.
A failure to plan is a plan to fail. Take the time to protect your agency and your clients by creating a cybersecurity program. It may save your business.
About the AuthorFollow on Twitter Follow on Linkedin More Content by Becky Schroeder