CYBER RISK FOR AGENCIES: HOW TO KEEP OUT THE WRONGDOERS
Agencies’ tech systems aren’t bulletproof against risk, so clients and business partners are at risk, too
By Brian Bartosh and Doug Mohr
In February 2021, New York State’s Department of Financial Services (DFS) published a cyber fraud alert. The alert was in response to reports of malicious behavior in an attempt to steal nonpublic personal information (NPI) from instant quote websites through exploitation and social engineering.
Instant quoting on a website has been touted by the insurance industry as a way to save consumers time and shorten the sales process for independent agents and carriers. While carriers routinely have these capabilities on their websites, independent agencies also may have public-facing websites that accept NPI.
Warns the DFS: “All regulated entities with public-facing websites that display or transmit NPI—even redacted NPI—should be vigilant.” That challenge applies to agents as well as to carriers.
IRMI (International Risk Management Institute) defines cyber liability, also called exploit liability, as: “Coverage, found in some cyber policies, that generally covers the insured for claims related to unauthorized access, viruses, or denial of service attacks that cause ‘network impairment’ where it becomes necessary to restore the insured’s network to the way it operated before the virus, attack, etc., occurred.”
An insurance provider operating an instant quote tool would need cyber liability insurance to the extent that they or their clients could potentially suffer loss from unauthorized access to the quoting system. These systems and others in an agency hold a significant amount of NPI.
An agency that takes account of cyber risks in its operations also aids in the risk management for those important third parties.
We’ve long known about agencies’ cyber vulnerabilities. In 2008, one independent agency reported a hack at the same time The Incredible Hulk was being released. Hackers invaded the agency’s system and ran an illegal movie download service through its server. At that time, earlier in the use of the internet, service providers left ports wide open on the network firewall. Network performance started to slip because of the unauthorized use, but the agency soon contacted a consultant to troubleshoot and fix the issue.
Here’s a look at current issues related to cyber risks and cyber coverages:
1. The number one cyber risk for agencies: Not taking cyber risk seriously, whether for prospects and clients or their agency. Of 36,500 independent agencies, many are likely still writing down user codes and leaving them in their office, vehicle, at home, or even taking them along when visiting a client. It’s too late in the cybersecurity game for agencies to be allowing this to happen. Other symptoms of security vulnerability are sharing passwords and having no security policy.
For this type of risk, the Agents Council for Technology’s (ACT) Cyber Guide is a resource, whether your agency is getting up to speed on cyber- security or is well underway. Designed to help agencies meet cybersecurity regulatory requirements, the guide is now in its third update because federal and state laws are changing quickly to keep pace with rapidly evolving cyber-security threats.
Cyber risk has taken on a new twist since March 2020, with the advent of widespread work-from-home practices for health and safety. Working from home increases the chance of cybersecurity issues originating from homes and other remote access points.
Cyber incidents in agencies typically put clients and business partners at risk. An agency that takes account of cyber risks in its operations also aids in the risk management for those important third parties.
2. Agencies are aware of the need for cyber insurance. The Big “I” 2020 Agency Universe study reported that perception of “the need for cyber policies [by agencies] has increased in 2020 over 2019 (66% vs. 56%).” It’s significantly higher with large and jumbo agencies (89%, 88%, respectively).
About three-quarters (78%) of agencies offer cyber policies to customers (although larger agencies are even more likely to offer them). A guideline to consider is telling prospects and clients: You need to have good risk management, not just good coverage.
3. State insurance regulatory guidelines might not fully protect an agency. States like New York and Michigan have their own robust cyber guidelines. Not all states do. Just because an agency is in compliance with the rules of its state, agency leadership shouldn’t consider that they’ve properly managed their own cyber risk.
4. Cyberattacks are predict-able, but not when, where, and to whom they happen. The Seattle Times reported in February 2021 that personal unemployment claims data (including banking information and Social Security numbers) of 1.4 million Washingtonians might have been stolen. The suspicion was that hackers made an unauthorized entry into a software provider, Accellion, which the state auditor’s office used to transfer large computer files. Citizens faced risks of fraud as well as identity theft at a time when unemployment usage was abnormally high due to the coronavirus pandemic.
5. Stop sharing passwords, right away. Agency leaders must recognize that sharing passwords amongst staff is a risk to cease as soon as possible. While it’s been convenient for agency users to share users IDs and passwords, the innocent days during which this practice presented few risks is gone. One reason is that when passwords are shared among the agency team, the source of a breach cannot be identified.
It’s up to each agency to find more convenient, secure ways to save passwords. Some agencies use the notes feature in a calendar/email program such as Outlook. Others use password-storing software.
But if an agency is looking for best practices in password control, what’s likely appropriate is multi-factor authentication (MFA), where users get a code via email or text to sign in. Many insurance tech providers and carriers support MFA in solutions. One reason is that New York cyber laws require this for agents’ systems. Further, tech providers tend to take data privacy seriously, with security teams within organizations constantly scanning for threats like the New York State cyber threat.
Other freewheeling ways of dealing with log-ins are allowing staff to use common words and names for user IDs and passwords. Yes, “p-a-s-s-w-o-r-d” might still be used, but no longer should be.
Some in the agency channel might view securing information from cyber risk as an annoyance, perceiving it is slowing workflow for little rationale. One method to reduce that (wrongful) perception is for independent agencies to reach out to their agency management systems providers, carriers and other insurtech providers to ask them to implement a federated sign-on. One such tool is SignOn Once, from ID Federation, which is dedicated to the independent insurance channel and consolidates multiple carrier log-ons into one log-in per agency user.
Now known as a SEMCI (single-entry, multiple-company interface) tool, SignOn Once streamlines activating and deactivating agency users, resulting in cost and time savings for agencies and business partners. It also allows agencies to keep up with the password changes mandated by carriers every 30 or 60 days for each user that accesses a real-time software connection to a carrier.
Brian Bartosh, CIC, LUTCF, is president of Top O’ Michigan Solutions, which has several locations in the state. Doug Mohr is vice president, industry relations, for Vertafore. Both are active technology leaders and are board members of ID Federation, creators of SignOn Once, the industry standard for streamlining secure access to carrier and business partner websites.
For more information:
Agents Council for Technology
Big “I” Cyber Resources