Cyber Security Revisited

I began the year by writing two posts about the challenges and opportunities presented to insurance agents and agencies by cyber security issues.  During the last week of February, I attended a webinar that focused on what agents and agencies should be doing to protect themselves. (Click here for a link to that presentation.)  Next week, on March 16 at 2 p.m., Steve Anderson will be giving another webinar devoted to that topic. (Click here for a link to register for that webinar.)  Those who have been following my blog this year will recognize his name, as he is a nationally recognized expert in the use of technology by the insurance industry.  I wrote a couple of posts last month about a presentation that he made at a conference I attended on the use of social media in an agency’s marketing efforts.

It seems that cyber security will be the hot topic of 2016.  It is something that cannot be ignored by agents and agencies any longer.  If the practical reasons for paying attention to it that I explored in by blog posts earlier this year are not enough to motivate agents and agencies, the National Association of Insurance Commissioners (“NAIC”) is doing what it can to make sure that you have no choice.  It has proposed 12 principles for consideration by state insurance commissioners in enacting regulations that will govern what insurance agents and agencies, as well as others in the industry, must do to protect the data they collect.   Among these principles is a mandate that they have systems in place to alert consumers in a timely manner if there is a cyber security breach and that a minimum set of cyber security standards be enacted for all who are physically connected to the Internet and/or other public data networks, regardless of the size and scope of their operations.

The NAIC has also adopted a Consumer Bill of Rights related to cyber security that will be incorporated into its model laws and regulations and thus, will likely find its way into state regulations.  One such right is that every agency have a privacy policy posted on its website and available in hard copy for anyone who asks. This privacy policy should explain what personal information is collected, what choices consumers have about this information, how they can see and change or correct that information if needed, how that information is stored and protected, and what they can do if the agency does not follow its privacy policy.  The NAIC also thinks that consumers should get at least one year of identity theft protection paid for by the company or agent involved in a data breach.

The regulations are coming, so it makes sense for agents and agencies to get ahead of the curve and be ready for them.  One way to begin the process is by reviewing the webinar I attended and signing up for Mr. Anderson’s webinar next week.  Both of those will give agents and agencies the knowledge needed to create and implement appropriate cyber security policies and practices.