Collateral Damage: How Cyber Security Affects Agencies
As we reach the midpoint of a trying year, it might be time to take a quick breather. From a cyber liability perspective, however, the pressure on agents will ramp up considerably in the second half of the year. Here’s why.
In past columns, we have discussed the regulations that deal with cyber security practices that affect agents, including the California Consumer Privacy Act (CCPA), the New York Cybersecurity Requirements for Financial Services Companies and versions of the NAIC Insurance Data Security Model Law (passed in eight states with six pending). States that passed the NAIC law did so last year and the CCPA went into effect in January.
As a practical matter, a grace period before enforcement begins in earnest is common practice, according to Jon Mendoza, chief technology officer for Technologent. By this time, agencies that do business in these states but haven’t yet taken action to protect their data will now face a greater risk of penalties.
Today, all agencies, no matter what states they write in, must confront a growing and stealthy threat through their vendors.
“Most agencies use multiple digital tools and platforms to perform important functions such as accounting, quoting and communications,” says Joshua Motta, co-founder and CEO of Coalition, which offers cyber coverages and cyber security tools to agencies. “To perform these functions, these third-party service providers need access to agency data. Even if the agency itself maintains strong data security protection, that protection is only as strong as those practiced by the service provider,” he said.
Motta added that hackers are targeting these data-rich providers more and any breach of agency data is collateral damage.
Many agency principals underestimate their cyber security risks. In 2013, hackers exposed the personal and financial information of 110 million Target customers by backing their way in via a refrigeration contractor. Since then, hackers have increasingly set their sights on vulnerable vendors.
To make matters worse, the consensus is businesses that collect customer data also own it, no matter where that data ultimately ends up. That leaves agencies on the hook.
“Data privacy laws hold the data owner responsible,” says Arturo Perez-Reyes, cyber and technology leader and senior vice president at HUB International Limited. “Data processors do not need to notify in the event of an incident. As for the subcontractors of processors, they are not in privity with the owner, so courts find that there are neither contractual nor tort obligations.”
Coalition’s Motta says that carriers are pushing agencies to pay greater attention to cybersecurity because hackers could potentially access many types of data via an agency’s backdoor. That’s why carriers are now renegotiating agency contracts.
“We have never been more dependent on data and never more interdependent on access to data,” Motta says.
“Considering the trifecta of ransomware, social engineering and supply chain breaches and the havoc they create, as many as two-thirds of all agencies still do not carry standalone cybersecurity coverage,” he said. A businessowners policy offers only shoestring coverage and
will not cover wire fraud and other incidents, Motta says. “Not to mention the fact that it will also only include shared limits.”