3 minute read
CYBERSECURITY: WHAT YOU DON’T KNOW CAN HURT YOU
By Paul Kapadia
We all experienced how the pandemic changed personal and professional aspects of our lives. As the world quickly adapted to the situation to accommodate the constraints created by COVID-19, we leveraged technology for operational flexibility and efficiencies. For our industry, like many others, remote working was the only viable option, and we all availed that to the fullest with the help of technology.
NEW TECHNOLOGY, NEW RISKS
In general, businesses survived, and many of us did better than what we anticipated. But we achieved this at the cost of negotiating the privacy and security of information – on a personal as well as a professional front. Personally, we adapted, from online grocery shopping, to banking and signing important documents online. Some of these changes that we assumed to be temporary are now here to stay permanently. On a professional front, businesses have realized the true potential of technology and how it could be effectively leveraged for cost savings and growth.
Unfortunately, this hasty transition is exactly what cyber criminals were hoping for, and they are taking full advantage of it. As seen in recent events, they have been targeting insurance agencies purely because of the quality and quantity of data they can get with relatively less effort … hence why the overall risk for agencies has increased significantly.
BEYOND TRADITIONAL IT INFRASTRUCTURE
Every business has an IT team (internal or external) that manages the IT infrastructure needs and IT security for that business. Yet despite their efforts and the preventive measures in place, many agencies have been the victim of a cyberattack and have suffered heavy losses and business disruptions. Some of them have been victimized multiple times.
Cyber insurance provides reimbursements of these quantified losses – with a caveat that the policyholder adhered to and documented preventative measures. In some cases, business have failed to secure damages when their IT team was not able to establish proof of these measures, as per the compliance guidelines of the insurance policy. In fact, insurance carriers have started implementing assessment of a policyholder’s IT infrastructure to calculate cyber premiums.
A CUSTOMIZED APPROACH
While the easy solution is to have a comprehensive cyber security audit done by a certified third-party auditor, this is a very expensive proposition for small agencies (which is a large part of our member base). That is why IA&B put together a very cost-effective Cyber Security Vulnerability Assessment (CSVA) service. A number of IA&B members already have availed this service and benefited by a comprehensive analysis of the current security vulnerability situation of their business. In addition, over 90 member agency representatives attended our January 2021 webinar on the topic.
CSVA is designed to test the robustness of an agency’s basic infrastructure security and review preventive measures and adherence to industry best practices. The assessment is based on the National Institute of Standards and Technology framework designed by the U.S. Department of Homeland Security (DHS), and it is aligned with the New York Department of Financial Services requirements to help our member agencies that are writing business in New York State. This is important as some of the same compliance guidelines are making their ways into other states’ requirements, as these states become more stringent in response to an increase in cyberattacks.
INSIGHT INTO THE PROCESS
This assessment is designed to be carried out without involving an agency’s IT team. This allows us to find the vulnerability in an “as is” state. An agency representative – usually the agency owner or office manager – is asked questions per the DHS guidelines, and then based on the captured information, we tailor the test to meet your organization’s specific security criteria. The vulnerability assessments use industry recognized tools and take place in parallel without disturbing your agency’s day-to-day operations. For a small agency (typically one location with less than 10 employees), this process takes anywhere from three to five business days.
At the end of the process, a comprehensive report is created and presented to the agency with the findings and recommendations for the identified vulnerabilities. The agency then can engage their IT support team – or rely on the IA&B team – to execute the recommendations.
With cyberattacks, cyber insurance policy requirements, and regulatory guidelines all on the rise, I encourage IA&B members to be aware of their current security vulnerabilities and ensure that adequate preventive measures are in place for safe and secure work environment.
IA&B Technology Advisor Paul Kapadia works on behalf of IA&B to offer products and services that make independent agencies safer, smarter, and more profitable. Paul is available to consult with IA&B members. Contact him at 732-423-9991 or PaulK@IABforME.com.