By Gissou Gotlieb, Field Suitability Compliance Officer
Information security is a topic that most of us are familiar with and have been hearing about for a while. The need to protect personal and non-public information is something that we all understand personally as well as professionally. Cybersecurity, on the other hand, may be a topic that feels like other people’s problem or one that belongs in movies. After all, the “bad guys” aren’t really after the independent insurance producer, right?
In short, cybersecurity is the protection of computers and computer systems from any unauthorized use. Unauthorized use may be in the form of damaging hardware or software, theft, or other types of access and mishandling of such equipment or information. It may be done by people who have authorized access but misuse this access, or by others who are unauthorized. Anymore, this threat is real against all individuals, governments, and businesses small and large. In fact, small businesses can be particularly exposed since they may often take fewer measures to protect against unauthorized use. Criminals can tap into small businesses and connect various computers or networks to increase their computing power to further their criminal activity or just find a potentially easier way to get into larger companies.
The safety and security of our computer systems and data is on the radar for many government organizations (Department of Homeland Security, FBI, SEC…). Recently, the New York Department of Financial Services came out with the most comprehensive regulation for our industry to date. While the industry works on compliance with the variety of topics the rule addresses, some items should be of importance to you and on your radar for consideration:
1. Information you house on your computer or have access to
a. Identify the type of information and how it is available (program on computer, website, app on a smart device). Are the information and the systems secure?
b. Identify the people who have access to the computers/systems/information. Do the proper people have access to the appropriate information in a secure way?
a. Are you and your staff knowledgeable on basic precautions to help protect against unauthorized use or theft (e.g., password security, locking up computers/laptops)?
b. Have you assessed and are you aware of the weaknesses in your process or system (e.g., what if an employee leaves or loses their smart device that has your system’s info on it)?
c. Do you manage/track all devices that enable access to your systems and client information (including smartphones, tablets, and laptops of you and your employees)?
d. Are you and your staff able to identify a cybersecurity event?
i. Have you discussed this topic or procedures with staff?
ii. Have you assessed the potential risk to your business and daily operations?
iii. Do you and your staff know what to do and not do in case of an event?
iv. Do you and your staff know who to notify and next steps?
e. Have you vetted your third-party vendors who have access to your physical (e.g. cleaning crew) and digital systems (e.g. software companies providing services, contact management systems)?
i. Are you familiar with their privacy and cybersecurity policies and procedures?
ii. Are you comfortable that they can deliver on their commitments to your business and that their shortcomings will not result in an “event” for you?
Most of the current regulation and discussion focuses on items beyond just security and access, such as processes for ensuring protection, monitoring of such processes, and the detection, response, and reporting of an incident. Not only are companies required to have policies and procedures on this topic, but key people need to be identified to manage and be held accountable.
If you haven’t spent much time thinking about this topic, I urge you to use the items discussed here as a starting point to become more aware. Call our office for additional information and resources on how you may be able to improve your protection. Your reputation may be on the line.
Gissou Gotlieb | Field Suitability Compliance Officer
Ann Arbor Annuity Exchange
Ph: 800.321.3924 x134 | Dir: 734.786.6134
Ann Arbor Annuity Exchange and its representatives do not give tax or legal advice. Please consult your tax advisor or attorney.
Designed for Financial Professionals.