Skip Ribbon Commands
Skip to main content
S1-Post-Only

Agency Cyber Roadmap

The steps in this roadmap are designed to help agencies understand cybersecurity regulatory requirements. 
While the steps can be followed in the order they are listed, it is not essential. An agency can choose to review/follow in any order.
However, to adequately understand their hazards, it is recommended to begin with a Risk Assessment.
 From there, an agency can decide what areas are of the most priority to their organization. 

For each regulation, we have listed examples of industry and external resources.  ACT provides these based on our awareness of services offered but does not endorse any specific service providers.  

Categories are listed by each resource to help identify the type of issue for which it provides guidance.

Regulatory ✔
     Intended to offer regulatory insight and resources. 
Contractual 📝  Intended to offer insight and resources to better understand contractual obligations being imposed.
Existential ⚠      Intended to offer insight and resources for training and risk mitigation strategies. 



  • Regulatory ✔ 
    The cyber/privacy regulatory landscape is everchanging as federal and state governments adjust to new risk types emerge and consumer demand.  While no one collection of resources can take the place of an agency's own legal team and IT resource, the Agency Cyber Guide brings awareness of overarching trends and issues on which to focus.

  • Contractual 📝
     As independent agents, we recognize that you contract with many different organizations to conduct your business and protect your customers every day.  Whether the carriers you are appointed with, technology companies you use each day, a network/aggregator you may be affiliated with, or any other third-party contractual relationship, it is very likely the contracts and user agreements contain specific language holding your agency accountable for certain protocols, procedures, and reporting obligations.  Given the vast diversity in contract type and approaches to managing cyber and privacy risk, we encourage every agency to review and understand these contracts, to be clear about what they are agreeing to, and to seek counsel and advice from their legal team.

  • Existential ⚠

    As insurance and risk management professionals, we know that sometimes you can do everything right, and yet bad things can still occur.  The cyber world is no different as good people and companies who've done everything to be compliant and understand their contractual obligations can and do become victims every day.  Awareness of risk, communication, training, and being diligent can go a long way in helping prevent a possible attack or breach.  These resources are intended to supplement with advice agencies receive from their own IT and cyber teams and resources.

Roadmap Steps (4).png


 
 



RISK ASSESSMENT

Typically this is the first step on your roadmap. A Risk Assessment is the identification of hazards that could negatively impact an organization's ability to conduct business. These assessments help identify inherent business risks and provide measures, processes, and controls to reduce the impact of these risks to business operations. The assessment should include a risk mitigation checklist. 



Risk Assessment Resources

StaySafeOnline.org

Existential ⚠

Resources presented by the National Cyber Alliance on how to stay safe online.

Rhodian Group

Regulatory ✔ Contractual 📝 Existential ⚠

A cybersecurity and forensics firm supporting businesses nationwide.




WRITTEN SECURITY POLICY

A security policy is a document that states in writing how a company plans to protect the company's physical and information technology (IT) assets. It can also be referred to as a "written information security policy" or "WISP".


 
The document must detail your agency's operations for security, governance, inventories, controls, continuity and disaster planning and systems monitoring. This includes internal and external mitigation policies.





 



Written Security Policy Resources

ACT Cybersecurity Policy Template

Regulatory ✔ Contractual 📝

A free agency resource to create a written agency security policy - Requires Big 'I' ID & password to access.

FCC Cyber Security Planning Guide

Regulatory ✔ Contractual 📝 Existential ⚠

This planning guide is designed to meet the specific needs of your company, using the FCC’s customizable Small Biz Cyber Planner tool.





INCIDENT RESPONSE PLAN

An Incident Response Plan is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The goal is to handle the situation in a way that limits damage and reduces recovery time and costs while complying with federal and state regulations.  This includes communication/notices to the state superintendent upon detection of a cybersecurity event and communication to customers, insurers, and third-party service providers. 


This is part of an overall written security plan (see item #2 above). 

 



Incident Response Plan Resources

Mintz Matrix

Regulatory ✔

State Data Breach Laws in all 50 states

NCSL Security Breach Notification Laws by State

Regulatory ✔

NCSL serves state legislators and their staff. This site provides general comparative information only and should not be relied upon or construed as legal advice




STAFF TRAINING AND MONITORING


This is a critical regulation. Even if all other areas are in compliance, one misstep by agency personnel can expose data due to malware, phishing, and other incursions. ACT strongly recommends that all businesses regardless of size train their staff on online security risks. 


Staff Training & Monitoring Resources

PhishMe.com

Existential ⚠

Learn how detect phishing threats and more.

KnowBe4.com

Existential ⚠

Effective awareness training dealing with the changes made in workplaces.

Cybersecurity Employee Training Guidelines From Travelers

Existential ⚠

Security awareness training teaching employees to understand vulnerabilities and threats to business operations. 




PENETRATION TESTING AND VULNERABILITY ASSESSMENT

Penetration 
Testing (also called ‘Pen Testing) is the annual practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit. This should be done internally and externally. 


Vulnerability Assessment  is a biannual process that defines, identifies, and classifies the security holes (vulnerabilities) in a computer, network or communications infrastructure.  



Penetration Testing and Vulnerability Assessment Resources

Tutorials

Differences/Details between Penetration Testing and Vulnerability Assessments



ACCESS CONTROL PROTOCOL


This responds to regulations requiring restricted access to non-public information, including PII, PHI, PCI.

Access Control Protocol Resources

FTC.Gov  

Regulatory ✔

How to Comply with the 'Privacy of Consumer Financial Information Rule' of the Gramm-Leach-Bliley Act






WRITTEN SECURITY POLICY FOR THIRD-PARTY SERVICE PROVIDERS


These are written policies and procedures designed to ensure the security of information systems and nonpublic information that are accessible to, or held by, third-party service providers.
  The NAIC refers to this as an information security program. 
Note: This is an evolving issue, with regulatory guidance to come. 


Service Provider Resources

ACT/Big I Agency Cybersecurity Policy Template

Existential ⚠

Third-Party Service Provider compliance and other related cybersecurity services.


ENCRYPTION OF NON-PUBLIC INFORMATION

Encryptionis the process of encoding a message so that it can be read only by the sender and the intended recipient. 

Non-Public Information refers to all electronic information that is not publicly available information and for insurance purposes refer to PII (personally identifiable information), PHI (protected health information), and PCI (payment card industry data security standards). 

This regulation describes the need to encrypt and protect this data when in storage and when transferred between the insurance agency and its policyholders (example: email).


Note: There is an exemption to this regulation, however it requires a waiver request to be submitted annually.  See your state regulations, described HERE. 




Encryption of Non-Public Information Resources

What is Data Encryption, How to Get Started

Existential ⚠

A quick guide to Data Encryption and best practices.

Comparison of the Best Data Encryption Software - 2024

Contractual 📝 Existential ⚠

Just because you have antivirus software installed on your PC doesn't mean a zero-day Trojan can't steal your personal data. The best encryption software keeps you safe from malware (and the NSA).

ACT TLS email encryption FAQs

Contractual 📝 Existential ⚠

Learn about TLS (Transport Layer Security) and how it helps protect your emails.

ACT Protect Your Clients with Secure Email Using TLS

Contractual 📝 Existential ⚠

Learn why having a secure email helps protect your clients.

ACT IA Carriers with TLS Secure Email Enabled

Contractual 📝 Existential ⚠

The following insurance carriers have reported to ACT that they support TLS email encryption for their agencies.






DESIGNATION OF CHIEF INFORMATION OFFICER



A Chief Information Officer is the title required by NY DFS for some agencies doing business in New York.; 
nationally this role can be viewed as 'Data Security Coordinator'. 








Designation of Chief Information Officer Resources

CIO.gov

Regulatory ✔

US Chief Information Officers Council - Official US Government site providing resources for CIO's understand the CIO role


AUDIT TRAIL


An audit trail (also 
referred to as an audit log) is an electronic trail that gives a step-by-step documented history of a transaction. It enables an examiner to trace the financial data from general ledger to the source document (invoice, receipt, voucher, etc.). The presence of a reliable and easy-to-follow audit trail is an indicator of good internal controls instituted by a firm and forms the basis of objectivity. 


For agencies, using your agency management system (with all other interfacing systems) provides a solid foundation for an audit trail. 



Audit Trail Resources

NIST (National Institute of Standards & Technology) 

Regulatory ✔

National Institute of Standards and Technologies - Computer Security Resource Center Assistance on Audit Trails





IMPLEMENTING MULTI-FACTOR AUTHENTICATION


Multifactor authentication (MFA) is a security system that requires more than one method of authentication from different categories of credentials to verify the user's identity for a login or other transaction.

 One example is a policyholder logging into an agency website and being requested to enter an additional one-time password (OTP) that the website's authentication server sends to the policyholder's phone or email address.



Multi-Factor Authentication Resources

ID Federation

Existential ⚠

ID Federation was formed to provide an answer to the industry challenge of limiting the proliferation of IDs and passwords to do business.

   

PROCEDURE FOR DISPOSAL OF NON-PUBLIC INFORMATION


As with encryption, this regulation refers to all electronic information that is not publicly available, including PII, PHI and PCI. Improper document destruction is often a downfall of small business security.


Regulations on this vary by state. Agents doing business in multiple states should adhere to the highest level of requirements. Keep in mind, there is a difference between complete disposal of information, and simply deletion.





 


image 
 
​127 South Peyton Street
Alexandria VA 22314
​phone: 800.221.7917
fax: 703.683.7556
email: info@iiaba.net

Follow Us!


​Empowering Trusted Choice®
Independent Insurance Agents.