What do Independent Insurance Companies REALLY Need to do for Cybersecurity in 2021?

We’re almost through 2020 and what a year it has been. Between the coronavirus pandemic turning nearly every industry on its head and a divisive, tumultuous presidential election that has turned the economy into a roller coaster, 2020 can hardly be described as a “business-as-usual” year for anyone. So how do we get back to…

A PRACTICAL CYBERSECURITY PROGRAM – ADMINISTRATIVE CONTROLS

Perhaps the least appreciated part of a cybersecurity program is the use of administrative controls. These safeguards are more “process-oriented” than the more tangible controls that we’ve discussed in previous posts like physical and technical protections. As a result, administrative controls are often put on the backburner. But they are fundamentally important and, in fact,…

A PRACTICAL CYBERSECURITY PROGRAM – TECHNICAL CONTROLS

Technical controls are what most people think of when the word “cybersecurity” comes to mind: encryption, multi-factor authentication, anti-virus software and other slick tools to protect information. While sound cybersecurity extends well beyond these kinds of safeguards, having strong technology inplay to protect data is important. What most small insurance businesses fail to realize is…

What is a Third Party Service Provider Security Policy?

23 NYCRR 500 requires Covered Entities to implement a Third Party Service Provider Security Policy in Section 11. In reality, there is more to the requirement than simply crafting a policy. There are several other requirements Covered Entities must contend with in relation to Third Party Service Providers: Identification and initial risk assessment of third…

What is Training & Monitoring?

Section 14 of 23 NYCRR500 is broken into two seemingly unrelated sections – training and monitoring. Section 14(a) focuses on monitoring requirements and Section 14(b) focuses on training requirements. Section 14(a) is anything but prescriptive and essentially requires Covered Entities to implement policies, procedures and controls to monitor their network activity to detect unauthorized access…