Since then, all of us in the insurance business have come to realize that it, not only happens to us and our clients, but it might. We've responded by selling a lot of cyber liability policies to clients and over half the agencies in America have bought such a policy themselves. The best agencies have developed protocols to minimize risk and mandated training for all employees. A secure email has become a fact of life and there are enough cyber events to have become something of background noise to us. Letting your agency's exposure be ignored is just asking for trouble, and not just from cybercriminals.
Several years ago, one of the country's largest independent agency insurance companies modified their agency contract and made the agent responsible for losses to the carrier if the loss came as a result of a problem originating with the agents' system. Now, these kinds of contractual language risk transfers are becoming commonplace.
Introduction of Law to Safeguard Data
If this wasn't enough to force insurance carriers and agents into action, the National Association of Insurance Commissioners (NAIC) has now adopted a model law that creates additional legal requirements for any person or firm in the insurance business to safeguard data. The act creates obligations for notification of state insurance departments in the event of a cybersecurity event.
The act has been passed now in eight states and it is anticipated by NAIC that it will be adopted in all 50 states in the next few years. While it has an exemption for licensees with fewer than 10 employees who are compliant with HIPAA (Health Insurance Portability and Accountability Act of 1996), that doesn't necessarily mean small property and casualty agencies are exempt. Many small P&C agents are not compliant with HIPAA.
California Consumer Privacy Act
California has gone even further with their California Consumer Privacy Act, which went into effect on January 1st, 2020. This law requires businesses to tell consumers what data is collected and how it's used, among other things. Both laws increase agents' obligations. Whether you currently do business in California or one of the eight states which have passed the NAIC law or not, you should consider taking action to assure that you comply.
Protecting Your Data
The first step is to be very vigilant regarding the outside services you use in your agency that collect or disseminate data. While this is virtually everyone you do business with, you may want to especially focus on insurance carriers, agency automation vendors, website and app developers, and hosting services. Facebook, Google, and other social media sites deserve your attention as well. You need to understand each of these services' privacy, security, and data sharing policies. Ask your vendors whether they sell, rent or share your agency's data, including customer information. If they do not affirm that they don't do this, you should consider changing vendors.
Insurance companies are going to increase their scrutiny of your data security and your privacy policies and the steps you're taking to protect your data. If you haven't bought a high-quality cyber liability insurance policy, now is the time to do that, too.