Perhaps the least appreciated part of a cybersecurity program is the use of administrative controls. These safeguards are more “process-oriented” than the more tangible controls that we’ve discussed in previous posts like physical and technical protections.
As a result, administrative controls are often put on the backburner. But they are fundamentally important and, in fact, tend to make up the majority of the requirements in the laws and regulations that affect small insurance businesses today. Some of the most important include:
- Risk Assessments. One of the primary requirements of Reg 500 and the NAIC Insurance Data Security Model Law (IDSL) as it has been adopted by various states is to conduct periodic risk assessments. Risk assessments inform what areas of concern must be primarily addressed as you build out the rest of your Information Security Program.
- Policies & Procedures. Often, when people hear the term “Cybersecurity Policy,” their mind automatically jumps to a cyber insurance policy. That is not, however, what the laws and regulations require. In the requirements, a Cybersecurity Policy (sometimes called an Information Security Plan) is a document that outlines how cybersecurity is handled and implemented at your company. It has nothing to do with insurance, in fact. Along with this cybersecurity policy, the requirements call for an Incident Response Plan and a Data Retention Plan among other procedural documents.
- Employee Training. It is no secret that your biggest cybersecurity threat is your employees (you, if you’re a one-person agency!) The regulators know this and have therefore required that employees are trained on cybersecurity threats and how to mitigate them.
While there are other administrative requirements, these are the most common and foundational. Be sure to get familiar with your legal obligations and select the right partner to help make sure you’re prepared to meet your requirements and protect your company.
Securibly is the only web-based solution built specifically to help independent insurance businesses comply with their cybersecurity requirements. We’d love to help you prepare. Contact us at firstname.lastname@example.org for more information.