The Risk of Data Breach in Agencies Today

Insurance Journal's Tech Talk column is made possible in part by the generous support of ITC

Data breaches pose a serious threat to agents even though incidents involving large companies such as Target and Sony produce all the headlines. All agencies are vulnerable to breaches, no matter what their size, location or specialties. Yet there are simple steps agents can take to mitigate the risks to their business and those of their clients.

Well-known insurance technology expert Steve Anderson believes that the number of agents who have experienced a reported breach may be low, but he still has concerns.

“Of more concern are agents who may have had a breach and don’t know it,” Anderson says. “There’s no question that the numbers and the risks are going up because of the automated programs that probe for vulnerability.”

According to Anderson, the biggest threat to agents is employees who allow phishing attacks which use false emails that contain viruses.

Jay Shelton, Assurance’s senior vice president of risk management services, agrees that the most common breaches involve employees stealing information or phishing attacks.

Shelton says agents should also recognize that their exposure is tied to the risks faced by clients. Higher risks are usually associated with data-rich industries such as health care.

Physical breaches can include exposure of agency data through loss of mobile devices that are not properly password protected, a client viewing an employee’s desktop when they step away, papers left unattended on a desk, or the theft of a server or computer from the office. Electronic breaches include hacking into an agency server or data stored in the cloud, and the risk of sending unprotected email with personal information.

The first line of defense is education, Anderson says. “Agency staff needs training to understand and recognize the exposures they face,” he says. For example, if the agency scans checks or takes credit card payments, does the agency need to retain that information? “Because if it’s breached, that presents a problem.”

Shelton says the best way to fight breaches is to take one of two approaches. “One approach is to establish a protective perimeter which seeks to block hacking in the first place,” he says. The other approach “is the roach motel strategy in which we assume there will be hacking.” As a consequence, the most sensitive material enjoys a higher level of security but once the hacker is in they can’t get out, Shelton says. “Either way, every agency needs to have a good breach response program in place and to know what their exposures are and how they will respond.”

The nature of hacks is changing, Shelton says. Small businesses can be vulnerable to “ransomware,” in which a code locks up computer files and a ransom demand is made to free them.

“What scares me are hacks that are ideologically motivated,” Shelton says. “In cases like this, the motivation is not money. That suggests a different level of exposure, such as educational institutions that might have enemies and that maintain open-source platforms.”

Risk mitigation must include maintaining up-to-date firewalls, antivirus and malware software detection programs, and comprehensive cyber liability, the experts say.

Some other steps to consider include:

• Appointing a staff member to coordinate, log and maintain a list of mobile devices in the field.
• Adhering to state regulation regarding personal information and data breach.
• Locating the server behind a protected door or wall in a separate area of the office.
• Creating a staff policy for no files and paperwork on desks in reach of client.
• Installing automatic screen savers on all desks that begin in one minute and then a password must be entered to log back on.
• Using transport layer security, or a third-party vendor or program when sending emails that contain personal information.
• Requiring remote access authentication and validation.

Topics Cyber Agencies