Managing who has access (and who doesn’t have access) to Nonpublic Information is key to a strong cybersecurity program and to compliance with 23 NYCRR 500. Small companies and independent insurance producers, listen up. This is for you, too.
Managing user access to sensitive information is a cornerstone of cybersecurity. So you might be a bit surprised to find that the “Access Privileges” requirement found in Section 7 of 23 NYCRR 500 is the shortest section of the regulation. In fact, it consists of a whopping…one sentence.
Basically, it says that Covered Entities need to limit user access to information systems that contain Nonpublic Information. You are also on the hook to “periodically review such access privileges.”
With a requirement this vague, there are two things you need to consider:
Where is there risk as it relates to managing user access to Nonpublic Information?
To what extent can I apply cybersecurity standards and best practices to mitigate this risk?
To address the first, consider who might have access to systems that contain NPI. Do employees have access to customer data? Do third parties store NPI or use it to conduct their work for you? Start by finding where this applies.
Next, you have to address this risk. Start by evaluating whether or not the access that users or third parties have to NPI is appropriate. You should abide by the principle of “least privilege.” This means allowing people access to only the minimum amount and types of Nonpublic Information necessary to fulfill their duties to you and your business. Don’t give anyone the “keys to the kingdom” if they don’t absolutely need them.
Once you’ve established that everyone has appropriate access to data, it is important to reevaluate from time to time. What you’ll find is that over time employees and third parties will come and go or their roles will change, meaning their need to access data will change. Without stopping to take stock of who has access to what information, there is a high probability that eventually NPI will end up in the wrong hands. Make this a habit by setting a schedule for how often and when you’ll review access privileges.
Keep in mind that you need to stay on top of this in real time for material changes. If, for example, one of your employees that had access to customer data leaves, that individual’s access to the data needs to be revoked immediately. Have a process in place to make this happen so you aren’t caught flat footed each time somebody’s job changes.
Securibly’s CC Shield platform comes loaded with a Cybersecurity Policy (among several other required policies and procedural documents) that covers the fundamentals of access control to make it easy to build these types of considerations into your work as an independent insurance agency. It doesn’t have to be complicated.
