Cyberspace Survival Guide
In today’s 24/7 world, advances in technology have enabled companies to be accessible to their clients anytime, anywhere, and cutting-edge BGAs of all sizes are effectively implementing the latest software, tablets, smart phones, computers and communications tools to streamline their operations and, in many cases, expand their businesses well beyond the confines of the traditional brick-and-mortar office. This move toward de-centralized operations and remote offices offers agencies unprecedented agility and access to their customers, but it also presents new challenges, particularly when it comes to protecting the integrity of the company’s sensitive data.
This issue, we explore 5 fundamental best practices for safely and successfully operating a BGA in a virtual world.
1 Protect Your Paper Trail
Digitization of the life insurance policy-writing process is perhaps the most notable technological advance in terms of enabling even small BGAs to work remotely or to operate from many offices.
“The virtualization of the office has reached a fever pitch because of its obvious benefit in the current marketplace,” said D. Michael Bridges, president of PaperClip, Inc., a provider of document management services for BGAs and insurance carriers. “People want to work more from home to cut expenses, offices want to shrink to cut expenses, and there’s certainly a move toward getting rid of consumables like paper and ink, also to cut expenses.”
This shift away from the traditional, BGA home office way of doing business is at odds with the tendency among career agents to cling to the pen-and-paper method of writing policies.
“The challenge in this world is getting people away from paper at all levels, but I look at it as common sense,” explained Bridges, whose company helps its clients operate virtually via a secure, automated method for exchanging digital documents. “If you process paper today, it costs you $1.30 a page; if you process in a virtual world, you can get that as low as $0.25 a page.”
Replacing paper files with electronic data is about more than costsavings; according to Bridges, it is also a necessary step in protecting a company’s sensitive data. As regulations become increasingly stringent, meeting compliance standards for protecting customers’ data using a paper-based system presents a challenge.
“The real key here isn’t so much that you can’t secure paper; the challenge is to account for its use,” said Bridges. “For instance, how many paper copies are out there of Mike Bridges’ medical record? In a paper world, you really can’t answer that. But in an electronic world, you can build an audit or a chain of custody and produce records that detail, ‘How did we get this electronically?,’ and ‘Who had access to it?’” This sort of detailed accounting for the whereabouts of digital data, Bridges predicts, will eventually become a compulsory tool for companies that deal with customers’ private information.
“Securing data is one thing, but accounting for its use is another thing, and it will continue to become more and more regulated,” he said. “By far, it’s been the biggest caveat of the last five or six years’ of legislation.”
2 Encrypt Everything
The focus on data integrity by regulatory bodies at both the state and federal levels has given rise to a singular, essential step all BGAs must take: data encryption.
“All the information BGAs touch today needs to be encrypted,” explained Bridges. “If you follow that one simple principle of encrypting everything, the rules and regulations will almost always give you safe harbor. It’s like a ‘get out of jail free card,’ because if someone breaks into your system and steals encrypted files, there’s nothing they can do with it.”
A plethora of options exist for data encryption, from software installed and managed at the BGA level to full-service outsourced solutions such as those offered by Bridges’ company.
“The laws say you, the BGA, are ultimately responsible for compliance, even if you outsource to somebody like PaperClip, who is inspected and audited by a number of organizations several times a year,” he said. “So, if I was a principal of a brokerage general agency, I would make sure all of my stuff was encrypted.”
3 Create A Data Ingretity Policy
Even the best encryption and data auditing tools are just pieces of a much larger strategy to ensure customers’ sensitive information is protected. The use of such tools, and what happens in the event of their misuse, should be included in a formal written policy that specifically addresses data integrity.
“Whether you have a security policy or just an employee manual, one thing is critical: breaches of security are grounds for dismissal, no question about it,” said Joann Mattson, vice president of administration at Four Seasons Financial Group, Inc.,
“Just having a really tight, crystal clear policy in place that’s given to every employee and signed by every employee is sometimes the best ‘Step One’ you can take.”
The written policy should also establish distinct roles for each employee in terms of what information can be accessed by whom. BGAs can take steps within their information infrastructure to manage and reinforce these roles.
“Once you determine what data needs to be protected and who needs access to what, then you assign them their roles within the database to only that data,” explained Mattson, a past Chair of NAILBA’s former Technology Committee (now the Independent Technology Committee). “A lot of offices are going to remote users, remote underwriters, and remote case managers, and they should not be any different in their security roles than if they were housed in your office.”
The best way to ensure employees do not gain access to information they should not see is to provide them with equipment that has the company’s policies in place, Mattson said.
“If you’re going to provide remote employees with a laptop, that laptop should have the antivirus software and the data encryption application and other security policies already built into it,” she said. “Or, your policy may be ‘you can’t use USB ports,’ because what’s to prevent someone from sticking a little thumb drive into a USB port on the side of a laptop and ulling off a bunch of client information?”
Put the ‘no USB port’ policy in writing, Mattson advised, but reinforce that policy using existing technology.
“There’s a function within the Windows operating system that allows you to shut down those USB ports,” she explained. “Give your remote users the equipment they need and the explicit written instructions outlining the repercussions for any breaches to that security policy, but also take your own steps like locking down the USB ports to mitigate any risk of a breach.”
4 Know the Rules
Given the growing trend among BGAs to expand into nontraditional distribution channels such as banks, wire houses and broker dealers, the importance of preserving data integrity is paramount in order to remain competitive and eligible to work with other companies. Financial services organizations in the banking and investment sector are subject to different, often more stringent, regulations, and those regulations for data protection push down to the BGAs they work with.
“You have to know your business, know who you’re working with, and know what guidelines you have to follow when you’re working with them in terms of what data needs to be protected and to what degree and using what method,” Mattson said. “For a BGA office that’s working predominantly with independent agents, the level of regulation really hasn’t funneled down yet, but, if you’re talking about BGAs that work with broker dealers and are doing variable business, they’re subject to FINRA regulation as well as regulation by the SEC.”
At the top of the regulation ‘food chain,’ according to Mattson, are banks and wire houses.
“Most of these banks have vendor management policies, and they require their vendors, including the BGAs they work with, to follow the same guidelines the bank is required to follow,” she said. “So, if the FDIC is telling the bank they must use a 10 digit password to get into their e-mail and force a change every 30 days, then the bank is going to require the BGA’s office staff to do the same thing.”
5 Protect Your Assets
Despite all the precautionary steps a BGA can take, it is prudent to plan for the worst-case-scenario. In the case of data integrity, a breach of that data is the biggest liability a brokerage agency can expect.
“The laws are very strict about how you behave after a breach, and it can cost companies up to $200 per record that is lost,” cautioned Bridges. “General liability insurance doesn’t typically cover the costs related to data breaches, and if you lose 1,000 records at $200 per record, the insurance company doesn’t want to write a check for that.”
Couple those hefty fines with the cost of buying credit monitoring services for each of those clients, as is required in most states, plus fees associated with potential litigation that may arise from the breach, and the price tag may be a game-ender for smaller firms.
“There’s a handful of P&Cs out there that offer what is called ‘Cyber Insurance’ that is specifically designed to insure you against breaches or employee-related neglect,” sad Bridges. “My advice to any size BGA would be: ‘Make sure you have cyber insurance.’”* Justifying the expense of a supplementary cyber insurance policy on top of the software and services costs related to keeping sensitive data safe may seem like a bridge too far for some companies. Mattson said she understands that budget is a huge concern for small agencies, especially in the last few years, when the market has been especially challenging to work within. At the end of the day, though, the benefit of investing in an agency’s data security infrastructure outweighs the cost.
“Consider the number of people just sitting in your database and if there’s a data breach you could be susceptible for fines and lawsuits for each and every one of them,” Mattson said. “If you look at the fines and how much it costs companies for a data breach, it is a big gamble to cut corners.”
It helps sometimes, she said, to look at the cost issues in terms of lost revenue and potential lost business.
“We work with a number of financial institutions and we would not be able to do business within those institutions if we didn’t have these policies in place,” Mattson said.
“Can you really afford to be without protection?”
For the July/August 2012 issue of NAILBA Perspectives Magazine Paula L. Yoho is a freelance writer, editor, and public relations specialist with more than 15 years of experience writing for international trade association publications, newspapers, trade magazines, and professional journals.