Cybersecurity Best Practices

How secure is your customers' most personal information? Would you know if it has been stolen? Professionals in the insurance industry collect very sensitive information from their clients including social security numbers, dates of birth, and email addresses - and clients assume that this information will be protected. But in the digital age, where agents and brokers conduct business not only on office computers, but mobile devices such as smartphones, tablets, and laptops, the threat of cyber breaches has never been greater. A cyber-attack on your organization not only causes financial loss but it also damages your reputation and diminishes your customers' trust - but despite these consequences many in the industry are not adequately protected.

According to the Insurance Digital Transformation Survey, the greatest concern for independent agents about storing data in the cloud is security, but many agencies do not have adequate security plans in place. More than half of agencies do not have a written security plan or hold cybersecurity training for their employees.

Data breaches can come from a variety of sources including outside hackers, lost devices, or even your own employees. So it is important that not only your systems are configured to prevent outside access but also that your agency staff is trained to detect potential attacks.

"Locking Up" the Information

Gone are the days when locking a computer in a secure room was enough to protect a customer's information. With cloud computing and internet connections, a person thousands of miles away can gain access to your most confidential data. Agencies need to take proactive steps to make sure they are not an easy target for predators including:

  • Reconfigure their system devices such as routers. This includes replacing the default user IDs and passwords with ones unique to their organizations.
  • Conduct an inventory of all approved computers, smartphones, tablets, etc. on their networks to ensure that no unauthorized devices are connected.
  • Keep your systems up to date. Computer systems and programs are constantly releasing updates correcting any errors and patching security issues that might arise. Staying on top of these updates reduces the chance that a hacker can infiltrate through a flaw in the system.

For many who are not IT experts, protecting your technology and systems may seem like a daunting task - but a number of these things are simple and do not require a computer science degree. To make it easy for any agency (even if you do not have a full time IT staff) to protect your information, the Center for Internet Security (CIS) with input from ACT's Security Issues work group developed a Cyber Hygiene toolkit - step by step instructions for implementing immediate and effective defenses against cyber-attacks. These toolkits can be found here and cover five key areas:

  • Count: know what's connected to your network
  • Configure: implementing key security settings
  • Control: properly managing accounts and limiting user and administrator privileges to only what they need to do their job
  • Patch: keeping your system current
  • Repeat: security is not a onetime effort but needs to be constantly monitored

Training Your Employees to Be Vigilant

Cyber breaches do not only come from outside infiltrators. Sometimes employees can be the source of an attack either accidentally or intentionally. To access a system, some attackers will send "phishing" emails - messages to employees that appear to be from a credible source asking for passwords or containing downloadable viruses. It is important to train your employees so they are aware of these potential threats and can identify them and report them to the administrator.

Disgruntled employees can also be a risk for cyber breaches, stealing information in order to "get back" at an agency. Controlling the accounts of your employees and limiting their access to only the systems and the information they need to do their work helps secure sensitive data and prevents the unauthorized disclosures of private information. Agency leaders should also be made aware of any potential employee conflicts so they can be on the lookout for any suspect activity.


for additional information:

Top 4 Cybersecurity Risks for Insurance Agents: Key cybersecurity risks for agencies

ACT Cybersecurity Issues for Insurance Agents: Tips for protecting your company's data

Independent Agents Need to Prepare for NYDFS Cybersecurity Regulation: Agent survey on cybersecurity readiness