When was the last time anyone in your organization sent an email containing sensitive information? When was the last time anyone in your organization sent an email containing sensitive information? (Photo: iStock)

"I don't email sensitive data at all."

…Are you willing to bet your business on that?

Email has revolutionized the way we interact. It allows quick and efficient exchanges of information. But email also can expose your private communications when you, or your recipients, have a security breach.

But email security sometimes comes as an afterthought.

No matter what role an individual may hold in the insurance industry (i.e. agents, brokers, carriers, underwriters, risk managers, claims professionals, lawyers, adjusters, etc.), access to sensitive data abounds, and is traded daily between internal and external personnel via email.

Burying your head in the sand

When was the last time anyone in your organization sent an email containing:

Candid, open communications with company executives and Board Members;

  • Pre-released financial information;
  • M&A discussions;
  • Intellectual property/patent content;
  • Information about executives traveling overseas;
  • Crisis management details;
  • Password distribution;
  • Disaster response communications;
  • Social security numbers; or
  • …the list goes on.

You may not realize it, but everyone at some time communicates sensitive information via email.

Can you be sure it is going to the right person, or that it's not getting intercepted or forwarded?

What if it got into the wrong hands?

Let's look more closely at email risks throughout an insurance organization.

Human resources:  This department is full of the type of confidential data that hackers love including social security numbers, medical insurance information, and succession discussions. It serves as a reminder that internally, every department needs to be audited for email security. Company leaders should know where confidential information goes when it's emailed, and who sees it?

Third party vendors:  And then there are the external emails.  The second an unencrypted email "leaves" an outbox, it can be intercepted and read. The property insurance industry is especially vulnerable to using third-party vendors sharing sensitive data. That's hwy insurers should know what type of email systems and security third parties use. This would include independent adjusting companies, restoration companies, water mitigation providers, roofers, contents evaluators, and contractors.

What if one of them got hacked? Keeping policyholder information is still your responsibility.

The right and wrong solutions

Hacker threats have some organizations resorting to low-tech, personal phone calls, face-to-face meetings, which are expensive, and overnight services delivery, which are even more expensive! And when it comes to meeting compliance requirements, there are applicable laws, regulations, and supervisory expectations that can vary state-to-state.

The consequence: less tangible proof of who said what, when, and what happened. Ultimately, compromising effective communications can affect a company's bottom line.

Develop and share email security tools

Let's say you have your internal sentries, and you're confident of your cybersecurity best practices.

How can you carefully monitor your vendors' policies and procedures?

It may seem like a daunting endeavor, but there are options. You must start with a detailed plan. It might look something like this:

  • Choose vendors with email security policies in place. Ask to see them.
    • Be open to new ideas from them, but make sure their policies and tools match yours and not the other way around. Compliance requirements abound and must drive best practices.
  • Does your organization have the ability and resources to continuously monitor each vendor you work with?
    • There must be red flags, surprise and scheduled audits, and repercussions for not following policies.
  • Do you have a set policy for working with vendors (and collaborating internally) on email security measures and determining what can be done to protect your data?
  • Do you have a cybersecurity disaster plan in place? Has it been shared with vendors so that they know what to expect if the unthinkable happens?
  • You need to be able to quickly identify and remediate issues if need be, so having a team and the right tools for monitoring this will give you peace of mind.

Keep in that mind it only takes one stolen email to ruin a business and its reputation.

Having policies and tools in place to keep a fence around this data cannot be a tertiary priority in this "hack a day" era.

Idan Udi Edri is CEO of Trustifi. To reach this contributor, send email to iedry@trustificorp.com. The opinions expressed here are his own.

See also:

NOT FOR REPRINT

© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.