Editor's note: Joshua Schmidt is vice president and chief information security officer of Vertafore
In the wake of recent widely publicized data breaches, security is a paramount concern for all businesses. According to a recent PwC survey, the number of data security incidents has increased globally across various industries by 25% in the last year. In the financial services industry, the survey revealed the average number of detected incidents increased by 169% since 2012, and the average total financial losses have increased significantly in the past year.
For independent agents and brokers, there are two sides to the data security coin: Although the increase in risk presents an opportunity to provide insurance to businesses in every industry, that same risk of an intentional or accidental data breach can threaten an agency's confidential client information.
How can agencies manage their time and resources appropriately, stay ahead of criminals, and prevent data disclosure accidents? Here’s a 10-question checklist for covering the basics of system security.
Click on the following pages to learn all 10 tips.
1. Are you properly funding your information security program? Security budgets need to be properly funded and the commitment to security initiatives need to remain constant.
2. Do your staff and contractors understand their security and data privacy obligations? A clearly written policy that is cross-referenced by legal, regulatory and contractual requirements explaining employee responsibilities for protecting clients’ sensitive information is necessary.
3. Are you compliant with data protection laws? To ensure that agencies are compliant with government and market standards, they must keep up with hundreds of data security guidelines.
4. Are you in the “security arms race”? Each year, new attack methods are developed and new technologies are built to combat those attacks. Deploy and maintain technological defenses within each layer of your IT infrastructure.
5. Are insecure configurations and unpatched systems in your IT infrastructure making you vulnerable? Keep systems secured by performing frequent testing for vulnerabilities and exposures and maintain rapid patch management processes.
6. Are bugs in your software applications developed in-house making you vulnerable? Have in-house developed software tested with secure code reviews and application vulnerability testing tools to detect bugs before someone else discovers and exploits them.
7. What would you do if someone hacked into your systems and accessed customer records? All agencies need a computer security incident response plan to ensure a timely understanding of significant security events and their impact.
8. If your office and the place you store data backups were both flooded and lost power for a week, how could you continue to stay in business? Disaster recovery is typically focused on timely recovery of IT systems and includes data backup processes.
9. Can you trust that your service providers are compliant with data protection laws, will securely handle your data and can quickly recover their systems following a disastrous event? It’s essential that the security practices of service providers be evaluated to ensure they facilitate your legal compliance, properly secure data and ensure rapid recovery of systems so that your business operations are not interrupted by security incidents or disasters.
10. Could a significant data breach ruin you financially? Maintaining your own cyber insurance policy is a good option for managing the risk of costly data breaches.
Many businesses are deciding the burden of maintaining secure, compliant, and highly available Information Technology (IT) infrastructure is too costly, so they turn to service providers to host the critical business systems that process and store client data. Before outsourcing to service providers, it is important to ask them the same series of questions to ensure a chain of trust when handling client data. After contracting with a service provider, periodically check in on the service provider’s control measures, such as reviewing annual audit reports like an SSAE 16, to ensure appropriate control measures are maintained over time.