FAIA Members | NEW Cybersecurity regulation for insurance agencies!
Hi, I’m Nate Ginter, chief technology officer for Vine IT cybersecurity services and a certified cyber security auditor. One of the things that I get asked questions about a lot in the last few months is, as we all know the New York Department of Financial Services has passed this new cybersecurity regulation that applies to insurance agencies of all sizes and specifically because of that many of the carriers that we’re dealing with, whether it’s you know Blue Cross Blue Shield; today we’re going to be talking about AmTrust North America specifically. They’re sending out these requests for verification letters. What those letters are doing is basically trying to get you to attest to the fact that you are meeting these regulations and the specific tenants that are included in the New York financial services regulations.
It’s kind of interesting because many of these specific things that your agencies are supposed to be doing from a cybersecurity perspective actually have been in place as laws and regulations that you’ve been supposed to be following for many years. It’s just New York is the first one to actually throw some teeth behind it and that’s really prompted these carriers to move and make sure that as an industry, that agencies are really doing what they need to do to protect their client’s data.
So, what I wanted to do was go through the specific request for verification from AmTrust. There are different questions that they’re going be asking about a couple of different areas, explain to you what they mean and some remedies or some places to seek additional information if you have any questions. Just because this one is for AmTrust North America doesn’t mean that it won’t apply to things like questionnaires being put out by Blue Cross, Blue Shield or some of the other carriers themselves. So, what I’m going to do is actually go through and deal with each of these questions one by one and I try to give you as much information as possible while keeping this video brief. But if you do have any additional questions afterward, please feel free to reach out to me or Vine IT. We’ll be happy to answer those for you.
So, the first question is pretty basic. Yes or no. My company is a covered entity under 23 New York CRR 500. All that means is, does the New York code of regular regulations applies to you as an insurance agency? The answer to that is yes. If you’re selling insurance and you have clients that are in the New York State area it does apply to you. If you don’t or if you’re doing business outside of New York State, then you don’t really have to worry about it. But here’s the thing, even if you’re in Florida as an agency and you have clients that are in New York, you still have to list yourself as a covered agency.
Now, one of the sub-questions that they ask is, if the answer is affirmative, meaning, you, in fact, do have clients that are based in New York State, has your company filed any exemptions under that code of regulation? Now, what they’re basically trying to let you know there is that they understand the New York DFS, that if you only have a couple of clients in New York or the amount of revenue being generated by your business is very small, that you should have a little leniency over somebody who’s you know say writing tens of millions of dollars in policies in New York State.
I believe the amount is 5 million dollars’ worth of policy coverage that you can apply for an exemption from. Which means that basically, you don’t have to meet all the regulations and that’s as of today. It really depends on the volume of policies that you’re writing, and you can actually work with your carrier a little bit to find out whether or not you do in fact have the ability to apply for an exemption. It’s still something you need to officially do through the New York Department of Financial Services website. It’s not enough to just say” it doesn’t apply to me”. You do actually have to specifically apply for an exemption there.
So, that’s more of a regulatory thing. A little bit outside of traditional cybersecurity but a lot of those things are tying together these days. So, the second question is; my company has implemented the use of multi-factor authentication or uses reasonably equivalent or more secure access controls in externally accessing AmTrust’s systems and data. Well, that’s a mouthful. So, what they’re basically asking is for the systems that you’re using for your client data, are they protected with multi-factor authentication?
I’ve talked a little bit in previous videos about multi-factor authentication. Pretty much everybody who uses computer systems these days has used it. A great example is, if you’re signing into Gmail and they asked for a six-digit code to verify almost every bank account that you would log into these days, if it’s the first time you’ve logged into it in 30 days or maybe you’re logging on from your mobile phone instead of your normal home connection, they send you a tax that has six digits to type in after you put in your username and password, that’s all multi-factor authentication is.
So, this is actually a newer technology, so a lot of agencies haven’t implemented it. And it’s also a good point in time to point out that a lot of times we think about client data, we’re thinking about “oh my agency management system. Maybe it’s Verta4 MS360 or HawkSoft”, something of that nature and you think “ok well that’s where my data is.” What I like to do is sit down with my clients and explain to them that “ok, so it doesn’t just magically appear there. How does it actually get there? Does somebody type it in? Is it emailed to you?” And a lot of times, I’ll hear workflows like “well we’ll take in either a form from the website and we’ll contact the client and have them send us additional data usually via email.” So, we need to make sure that that two-factor authentication is in place in systems like email that might be holding your client data before it gets to your agency management system. Also, it’s very important to talk to your agency management systems people. Again, there’s a lot of major manufacturers out there. You can talk to their sales department or even call them with a tech support request to make sure that those options are enabled for you so you can meet these requirements.
Well, it’s only New York that’s specifically requiring multi-factor authentication today. That’s something that is absolutely going to be a prevailing industry standard moving forward and it usually it’s very easy to implement. It just takes a little bit of work on the back end typically So, their second option, so that statement again, they’re asking you to check that you have done that. Their second option actually says that you have not fully implemented that multi-factor authentication. Maybe you don’t have it at all. Maybe you’ve got it on your email but not on your agency management system or vice versa and they’re asking you to put down a date in 2019 when you will have that completed.
There’s not a long lead time here for this, so you know if you sign off that you don’t have it implemented and you will by the end of the year, you really want to make sure that you’re making some steps to make that happen because you could technically be in breach of your contract with them they could use it as a reason to pull your carrier coverage or to come after you in the event that there is a breach to get full liability on your part off of a data breach there as well. So, something that you want to be aware of. Again, the highlight of number 2; multi-factor, fairly easy to implement depending on the system you’ve got and something that you definitely want to look into if you don’t have it and you’re claiming number 2.
So, we’ll talk about a little bit about question number 3. My company has implemented encryption of AmTrust data at rest and in transit or if encryption of AmTrust data at rest and transit is infeasible, has implemented effective alternate compensating controls. Boy, it’s awesome they make those so easy to understand. I get confused just reading them half the time. The two concepts we’d really need to worry about here are the concepts of ‘at rest’ and ‘in transit’, basically meaning wherever you’re finally storing all the client data that you’re entering in, that that is encrypted and secured and that also the method that you’re transporting it with is secure. For example, a text message is very easy to intercept so I wouldn’t want my bank storing my credit card information by having me text it to them. Obviously, you want to enter that into some sort of secure web portal.
Almost every agency management system that exists today, I haven’t heard of one that doesn’t do that, where you need to make sure that you’re implementing security if you are using things like email to transmit data back and forth between members of departments or between clients and yourself or yourself and clients, that you have those you know emails encrypted and locked down. So, it’s basically asking if you have good management controls in place with encryption both for your agency management system your email and any other place that you might find large quantities of that data. Of course, when you’re doing something like printing or generally talking about one record at a time, that’s really not something that you’re going to be encrypting, but where you have those big repositories, that’s the important part. So, yes basically is the answer if you have those sorts of controls in place and again if you don’t, please feel free to give us a call. We’re always happy to talk to people about how to make those systems more secure. If you haven’t, there’s an option number 2 again for ‘not fully implemented’ and for ‘data at rest’ and ‘in transit’ but you will have fully implemented ‘data at rest’ and ‘in transit’ encryption by the end of 2019. So again, they’re not saying they want to do business with you if don’t have it in place, but they want you to have it in place by the end of the year.
And number four is a much simpler one but actually a little bit further reaching than the others. The affirmative statement they’re asking you to make is that “my company has undergone a cybersecurity and vulnerability audit within the past twelve months. Now it’s important to note that there’s a lot of places out there that will sell you a scan. So, there are places like Trustwave and these sorts of things that will scan your external environment and they’ll charge you a couple of hundred bucks for it. Usually, they do a quarterly and a lot of people think that that is a cybersecurity audit. That is not a cybersecurity audit. A cybersecurity audit takes a look at your internal workflow practices Everything from hiring and firing, access credentials, new employees coming on board up to your workflows of, as we talked about a little bit earlier, how your data makes it from the client into where it’s ultimately going to reside. What your backup processes are like. How you’re monitoring and patching your machines. Updates for your hardware like your firewalls and your network connectivity switches. So, there’s a lot more to it than just a simple scan that somebody is going to offer you.
If somebody comes to you and tells you that they can do that with an automated scan from a third party, not likely. It’s not something that you’re going to see, just something that you go online and click a button and put your credit card info. You actually need to work with a well-certified auditor to make sure that you actually have a good understanding of your business’s vulnerabilities and the risk to your client data and try to minimize those things or transfer that risk by putting the proper amount of liability insurance in place.
So, they’re asking basically yes or no, whether or not you’ve had that done. So those are your first two options there and they also go a little bit further, and this is where the New York DFS also gets a little bit more in-depth than some of the other compliance centers that were out there. They’re asking you to affirm that if the answer to the above is affirmative or ‘yes’ were any critical or severe vulnerabilities reported which have not been remedied? Now what they’re asking there is if you have had one of these audits done, either by a company like Vine IT or another provider. When they give you a list of recommendations, was there anything that was listed as a higher severe vulnerability that you still haven’t addressed? They want to know that for obvious reasons. If you’ve got severe vulnerabilities to client data, they like to know what they are and make their own decisions on whether they want to continue doing business with you. They also want to know if you have had an audit done, was the audit performed by an independent third party. They want to make sure that you’re not having some internal employee decide whether or not your practices are acceptable. They want somebody with some certification or experience in the industry of cybersecurity verifying that your processes are correct.
It’s also pretty helpful to make sure that somebody if you do have a cybersecurity provider or a managed service provider, IT guy that you call when you have issues, that it’s not him that’s determining whether or not you’re actually secure. As I like to say, “if you think there might be money missing from your account, you don’t want to ask your accountant.” You want a third-party accountant to look at that for you to help make sure that there’s nothing else going on that you need to be aware of.
So for number five, we have another statement here that is what we typically call “breach response” or the “incident response” category and it states that “the company will, as soon as reasonably practicable but no more than 24 hours from the time my company becomes aware of a cybersecurity event notify AmTrust of any material unauthorized access, possession, disclosure, use or knowledge of AmTrust data subject to a cybersecurity event. My company will submit such notification through the email to the following address; securityamtrustgroup.com.” Now, that is a very long-winded way of saying that if you guys have a breach or you suspect there’s some data missing, that you guys will actually go through and notify AmTrust that that data is in jeopardy within 24 hours. So basically, let them know within a day. That’s what they’re asking.
So finally, the last question that they’re asking here, number 6, is for you to provide a list of cybersecurity standards that the company complies with. So, if you actually fall under HIPPA regulations. Whether you have client data that includes any health information or personally, identifiable health information, you might be complying with the HIPAA standard as an example. Also, if you’re working with a good cybersecurity auditor or consultants who are helping put you on a specific standard, we use a standard from the National Institute of Standards and Technology’s 800-53 revision for specifically very nerdy stuff. But basically, it is the Federal Information Security Management standards recommendation, what the government actually recommends that you do to comply with different regulations that are out there.
So again, an easy one. Just to put down is HIPAA if you’ve already had any HIPAA auditing done or you’re following that standard, but I also recommend that if you are looking for a consultant, ask them. “What what’s the baseline that you guys are using? What are the standards that you are meeting in your auditing criteria?”, so that you know what sort of standards you’re working off of. And it’s not something you need to get too deep in the weeds with, but your auditor should be able to provide you with that information. So, we appreciate your time. Thanks for looking a little deeper dive into what the request for verifications actually are and again, this one was specifically related to the recent document from AmTrust North America but the topics that we covered here also apply to a lot of other carriers that are out there. I can’t go through every single one in a video, but if you get one that has additional questions or ones that are worded differently, you’re always welcome to reach out to us and we’re happy to help you out. Thanks, and have a great day.