Is Your Agency Keeping Up With I.T. Security Requirements?
Compliance requirements in Michigan [and everywhere] continue to get stricter regarding data security and technology for businesses. But why?
Well, your technology plays a huge role in overall security.
In the past 12 months, 23% of small businesses suffered at least one cyber attack, with an average annual financial cost of $25k (Hiscox Cyber Readiness Report 2021). Ouch! As cumbersome and time-consuming as more rules and regulations can be, it's in the best interest of your customers, partners, carriers, and your agency.
It’s more important than ever to stay up to date on agency requirements from governing laws and trends in carrier requirements for cyber liability insurance.
I’m sure you’ve heard about the amended Insurance Code by now. Michigan adopted the NAIC Insurance Data Security Model Law in 2018 and there have been deadlines for requirements at set intervals ever since.
What does that actually mean though? And how do you know if the requirements apply to you?
On January 20, 2022, Michigan insurance agencies with 25 or more employees were required to have a Written Information Security Program (WISP) implemented. Agencies must also certify compliance with the program annually by February 15.
If your agency fits that criteria and you haven’t developed a WISP yet…there is absolutely no time to waste. You will face consequences if you aren’t compliant, which can range from fines or loss of license to lawsuits if you experience a data breach. Not to mention the downtime and financial hardship that comes with an attack of that nature.
There are WISP templates available to purchase across various sources that can get you started. Many I.T. providers, like Omega Computer Services, may provide their clients with a template and assist each individual with choosing the compliance framework that fits their business.
Even though agencies with fewer than 25 employees are not required to have a WISP, it is strongly recommended. Other requirements outlined in Michigan’s Data Security Act, like reporting a cybersecurity event in Section 500.559, are applicable regardless of staff size. It is leaps and bounds easier to include the correct information in your notification if you already have your safeguards and employee responsibilities outlined in a WISP.
If you work in the insurance industry, you are probably very familiar with decisions being made to avoid risk. This is the same with cyber liability insurance or data breach insurance.
With the increasing amount of cyberattacks successfully targeting businesses, carriers are requiring more and more security controls to qualify for coverage or even offer these types of policies. The increased scrutiny is causing more denial of coverage, policy restrictions, and higher premiums for higher-risk participants. For this reason and many others, your agency should stay ahead of I.T. security and encourage your customers to do the same.
Generally, requirements differ from carrier to carrier; however, the trends in pre-audit evaluations, risk assessments, and underwriting requirements are:
Multi-Factor Authentication (MFA)
on admin logins
on email accounts
for remote access
for backups
Anti-Virus Software
Employee Security Training
Network Security Devices (ex: Firewall)
Backup & Disaster Recovery Plan
Patch Management
PCI and HIPAA Compliant
At Omega Computer Services, we offer all of the above and more in our security bundle, which now comes standard in our plans. Your I.T. provider or MSP should have similar offerings or can point you in the right direction. If you have questions, we are more than happy to help.
Let’s recap. If you are a Michigan insurance agency, you should:
Revisit your Written Information Security Program (WISP) or get one developed and implemented ASAP
This should include language and safeguards from the cybersecurity compliance framework your business chooses to follow.
Reach out to your IT provider or MSP, like Omega Computer Services, for help!
If you haven’t already, submit your Annual Certification, it was due by February 15th
At the very least, start using Multi-Factor Authentication (MFA) companywide to exponentially increase security. This seems to be a minimum requirement from carriers in this new landscape.
Create a culture of security within your agency to keep compliance and safety top of mind. Cybersecurity is everyone’s responsibility. Make sure all employees know:
What cyber and data attacks look like (ex: phishing email)
When and how to report a potential threat or cybersecurity event
If you are not in the insurance industry, don’t worry, this is just a sneak peek at what compliance will look like for most businesses in the very near future.