• Handling sensitive information is one of the most critical responsibilities faced by today's insurance agency. Regardless of the size or focus of your agency, cyber risk is a rapidly growing threat.

    The list of regulations and legislation surrounding cybersecurity compliance continues to grow every day. Cyber exposures are evolving. Understanding the issues, your compliance obligations, and vulnerabilities can be overwhelming. 

    ACT can help you navigate these issues. 

  • Answer the eight simple questions below and you will be pointed to key areas of ACT's Cyber Guide 3.0 where you will find resources to address the most critical areas where your agency needs assistance. 

    Don't worry about writing them down or saving them to a document. An email will be sent to you after completion, with a summary PDF of the questions asked, their answers, and the suggestions and links for all questions.

  • Please note that this questionnaire is not intended to be a full cyber risk assessment. It is intended to help you quickly identify areas where you may need to become more cyber secure. 

    ACT intends to use the data from this assessment to provide the agency representative(s) completing the survey with insights and strategy to assist with the understanding and implementation of key actions to ensure cyber protection and compliance with federal and state cyber laws.  ACT may also use overall data in an anonymous aggregated fashion to share overall statistics on digital implementations across our industry.

    Your response to this survey is entirely voluntary. If you are asked to provide your identity, or the identity of the organization on whose behalf you are responding, and do not wish to do so, you can still complete the assessment without this information but will not receive an emailed copy of the results.  If you provide any free-form responses, please refrain from entering sensitive, confidential, or proprietary information of any kind. You agree that any information or materials provided in your response will not be considered sensitive, confidential, or proprietary and ACT cannot be held responsible to protect any data provided in your responses.  All responses and data provided are subject to the security practices and Privacy Policy of JotForm (https://www.jotform.com/privacy/).

     

  • A Risk Assessment is the identification of hazards that could negatively impact an organization's ability to conduct business. These assessments help identify inherent business risks and provide measures, processes, and controls to reduce the impact of these risks to business operations. The assessment should include a risk mitigation checklist.

  • Click here to be directed to ACT's 'Compliance and Protection Roadmap'  and check out 'Step 1 - Risk Assessment' for more background and resources to get you started.  

  • A "Written Information Security Policy" or "WISP" is a document that states in writing how a company plans to protect the company's physical and information technology (IT) assets. The document must detail your agency's operations for security, governance, inventories, controls, continuity and disaster planning, and systems monitoring. This includes internal and external mitigation policies.

  • 'Step 2 - Written Security Policy' of ACT's 'Compliance and Protection Roadmap' has information and resources that can help you develop a 'WISP' and even includes a free downloadable 'ACT Cybersecurity Policy Template'

  • An Incident Response Plan is an organized approach to addressing and managing the aftermath of a security breach or attack. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs while complying with federal and state regulations.  This includes communication/notices to the state superintendent upon detection of a cybersecurity event and communication to customers, insurers, and third-party service providers.

  • You can find tutorials, as well as lists of vendors that provide services for Incident Response Planning and much more by reviewing 'Step 3 - Incident Response Plan' of ACT's 'Compliance and Protection Roadmap'.

  • Annual Security Training is a critical regulation. Even if all other areas are in compliance, one misstep by agency personnel can expose data due to malware, phishing, and other incursions. ACT strongly recommends that all businesses regardless of size train their staff on online security risks.

  • Annual security training is critical to your agency's total cyber-readiness.  Staff training and feedback should be consistent to ensure vigilance. 'Step 4 - Staff Training & Monitoring' of ACT's 'Compliance and Protection Roadmap' can give you the resources you need to establish this essential process in your agency. 

  • Penetration Testing (also called ‘Pen Testing’) is the annual practice of testing a computer system, network, or Web application to find vulnerabilities that an attacker could exploit. This should be done internally and externally. 
    Vulnerability Assessment is a biannual process that defines, identifies, and classifies the security holes (vulnerabilities) in a computer, network, or communications infrastructure.  

  • Vulnerability & Penetration Testing minimize your exposure to potential threats. Neglecting this important process can mean the difference between cybersecurity and a cyber attack.  See 'Step 5 - Penetration Testing & Vulnerability Assessment' in our 'Compliance and Protection Roadmap' for ways to add this process to your agency's cyber-readiness plan.

  • It is crucial that you maintain written policies and procedures to ensure the security of information systems and nonpublic information that are accessible to, or held by, third-party service providers. The NAIC refers to this as an information security program.

  • Your written vendor contractors should ensure the security of your information systems and the non-public information that your third-party service providers access. Review the resources available in ACT's 'Compliance and Protection Roadmap' under 'Step 7 - Written Security Policy for Third-Party Service Providers'

  • Data Protection (such as email encryption) and Access Privileges (such as multi-factor authentication) are among the common best practices that can be implemented to assure the protection of sensitive information.  

  • Multi-Factor Authentication (or MFA) is a security system that requires more than one method of authentication from different categories of credentials to verify the user's identity for a login or other transaction.  One example is a policyholder logging into an agency website and being requested to enter an additional code or one-time password (OTP) that the website’s authentication server sends to the policyholder’s phone or email address.  See ‘Step 11 – Implementing Multi-Factor Authentication‘ in our 'Compliance & Protection Roadmap' to help get started addressing MFA needs.

  •  At its core, encrypted email describes a process where email messages are encoded so they can't be read by people who aren't part of the conversation. There are many ways to send "encrypted" email messages over the internet, however, not all encryption methods are equally secure. 'Step 8 - Encryption of Non-Public Information'  in our 'Compliance and Protection Roadmap'  will help you with further background on encryption email and other data transmissions. 

  • Off-site backup is a method of backing up data to a remote server or to media that is transported off site. The two most common forms of off-site backup are cloud backup (now the most prevalent method), and tape backup. During cloud backup, also referred to as online backup, a copy of the data is sent over a network to an off-site server. Our ‘Cybersecurity Provider Listings’ section of the Agency Cyber Guide 3.0 details service provider who handle this critical need. You can also reach out to your agency management system provider.

  • A remote access VPN means your employees can log on to your company network from anywhere that has access to the Internet.  Whether they are traveling or socially isolating at home, a VPN creates an encrypted tunnel for data and allows your employees to access all the resources they need to get the job done.  The downloadable ‘Written Security Policy’ in Step 2 of our 'Compliance & Protection Roadmap' will further outline VPN needs an requirements.

  • Next-Generation Antivirus (NGAV) uses a combination of artificial intelligence, behavioral detection, and other advanced mitigation, so known and unknown threats can be anticipated and immediately prevented. 

    Endpoint Detection and Response (EDR) is a security solution that combines real-time continuous monitoring and collection of endpoint data to alert companies about real-time cyber threats.

    Refer to ‘Step 05 – Penetration Testing and Vulnerability Assessment‘ in our 'Compliance & Protection Roadmap' covers Endpoint Detection and a number of other similar detection aspects.

  • Cyber liability insurance offers coverages to help protect your agency from various technology-related risks. 

  • Big I partner Coalition can help you learn more about your need for cyber liability insurance - for both your agency and your customers. Access Coalition's website here. Agents registered with Big "I" Markets, can contact Carla McGee for a quote. Other cyber liability programs are available to your agency through your state association’s Big “I” Professional Liability Program Manager. 

  • Should be Empty: