errors and omissions insurance How Insurance Firms Can Minimize Cyber Risks | Axis Error & Omission
Error Omissions
Error Omissions
Submit your information below so we can contact you with a FREE quote
[All fields are required.]
Actual Annual Revenue:
Verify:
=
I have read and agreed to theTerms & Conditions
Error Omissions
Error Omissions

How Insurance Firms Can Minimize Cyber Risks


Cyber Security Controls, PrivacyNetwork Security Coverage EssentialCyber Security Controls, Privacy/Network Security Coverage Essential

Cyber threats come from any different sources, including business processes and services contracted with third-party vendors. We saw this with Target’s breach last year in which a malware-laced email phishing attack sent to employees at an HVAC firm that does business with the giant retailer was linked to the cyber attack.  We also saw this with hotelier Wyndham Worldwide Corporation, which was the target of three breach incidents occurring between April 2008 and January 2010. In a lawsuit against several of Wyndham’s directors and officers, shareholders are claiming the hotel “failed to take reasonable steps to maintain their customers’ personal and financial information in a secure manner”. The suit also claims that the company’s property management system server “used an operating system so out of date” that the company’s vendor “stopped providing security updates for the operating system more than three years prior to the intrusions” and allowed the company’s software to “be configured inappropriately.”

As businesses grow, all types of companies – including those in the insurance industry – are increasingly relying on third parties to provide services that require a trust in the provider to protect their networks and data at the same or greater level that they would. But this isn’t always the case. In fact, according to security firm Trustwave, which analyzed 450 data breaches in 2013, nearly two-thirds were related to third-party IT providers.

When it comes to the insurance industry, many insurance agencies, brokers, and MGAs/MGUs outsource their back-office processes, providing access to customer data. While there are numerous benefits to outsourcing, there are critical measures that must be implemented to ensure that a vendor is taking the steps needed to do all it can to minimize cyber exposures.

First of all, be sure that all vendors that require access to your insurance policy administration systems or agency management systems have detailed security policies that are regularly reviewed, updated, and enforced. A policy is nothing but a useless piece of paper if it isn’t maintained and enforced. The policies need to be readily available for review and supporting documentation of the security controls should be available to the contracting business.

In addition, validating the effectiveness of those policies and security controls must be performed on a regular basis. A combination of penetration testing and risk assessment needs to be performed at least annually, if not more often. If the third-party vendor is not already doing part of this, a business may consider including part of it in its regular testing.

When remote access is required for business partners, vendors, and consultants, that access needs to be tightly segmented and isolated as much as possible from the rest of the production network. Controls should be in place restricting third-party access to only those resources that absolutely need to be accessed to conduct business.

When it comes to web applications, they need to be locked down, isolated, and monitored. Web applications, in particular, are a common weak link when the expectation is that they’re only to be accessed internally. A thorough security review should test to ensure the applications do not suffer from issues that could allow a malicious attacker to gain deeper access into the network.

In addition to policies and controls, insurance agencies, MGAs, and wholesalers should have an agreement in writing with the vendor that states any breach will result in immediate notification. This will put the business on notice to be extra vigilant in monitoring for suspicious activity. A post-mortem should also be required to help all parties understand where the initial source of attack occurred and the techniques used during the breach, and ensure that the issue and any similar ones are taken care of quickly.

In addition, when contracting with third-party vendors, be sure that these questions are asked and answered in writing:

  • What employee background checks are performed to ensure workforce security? Are employee confidentiality agreements enforced?
  • What employee training is in place to promote and foster information security awareness?
  • When an employee leaves the firm, what steps are in place to ensure that all unnecessary accesses and business assets are retrieved? Are clients notified when an employee leaves to remove a resigned user’s account?
  • What protocols are implemented to protect a client’s data? This includes the guidelines in place for acceptable usage of client’s data and appropriate behaviors on a client’s remote server.
  • What is the process for secure storage, auditing of usernames and passwords, and the instructions used to connect to the system?
  • What approval processes have been implemented for any exceptions to the security procedures in place? Who gets notified of these exceptions?
  • Does the vendor’s disaster plan/business continuity plan contemplate making data available in the event of a catastrophe, including replication of data at different locations, encrypted backup tapes stored offsite and other measures?

Of course, cyber liability insurance is a must to respond the costs involved in the event of a breach. At Axis Insurance Services, in addition to providing Errors & Omissions coverage to insurance agents, brokers, MGAs and MGUs, we can also secure a robust Cyber insurance solution. Give us a call at (877) 787-5258 to find out how we can help you with both E&O and Cyber Liability/Privacy/Network Security coverage.

Comments

comments

Blogged on: August 6, 2014 by Mike Smith
Error Omissions
Error Omissions
Submit your information below so we can contact you with a FREE quote
[All fields are required.]
Actual Annual Revenue:
Verify:
=
I have read and agreed to theTerms & Conditions
Error Omissions
Error Omissions