Recently, laws regarding nonpublic and personal information have become more stringent. A recent law in Alabama (Act 2019-98) codifies how insurance companies manage and protect their technology systems. This law expands the current rules and regulations regarding insurance companies and requires insurance companies to build a system to protect non-public information, monitor and strategically analyze that system, create an incident response plan and review that plan regularly. The bulk of the law is dedicated to requiring insurance companies to establish some straightforward information security systems.
Do you know whether Alabama Act 2019-98 will impact your insurance company? What systems do you need to have in place to stay compliant with the law? What can you learn from this law, and what can you implement in your business, even if you don’t write insurance policies in Alabama?
In the following post, we summarize the recent law and discuss how it impacts local insurance businesses and their information security systems.
There are several areas covered by Act 2019-98 that are well known in security systems, and insurance companies will need to understand the following terms in order to develop the systems to stay compliant with the law.
Penetration testing, or pen testing, is the process in which a third-party vendor analyzes a business’s security systems, demonstrates where internal and external threats may arise and gives recommendations for how the company should remedy the risks. When this is performed internally within the company, it is called red teaming.
Phishing, spear phishing, and social grooming are technical terms for threats towards the business from an outside source manipulating employees, customers or vendors into giving that party access to the business’s IT or physical security. Since no system is 100% human-proof, planning for these threat vectors always requires incident response planning, as well as preventative planning.
Multi-factor authentication is mentioned within the law as something that may be required in creating the information systems. Multi-factor authentication is the process of requiring more than one form of security in order to log in to nonpublic areas of a business’s IT. For example, many secure login pages use a cookie to identify trusted browsers, and if that cookie is not present, the user will have to either answer security questions or receive a text on a mobile device to prove that he or she is the authorized user he or she is claiming to be.
Systematic Information Security
Businesses should start by performing risk assessment of their information security systems and creating appropriate responses to the risks uncovered. The law also requires that insurance companies create a comprehensive information security system that is designed to protect customers’ nonpublic information and designed to deny access to the business’s information systems for unauthorized users. The law also addresses how third-party service providers are part of the information security system and have to be included in the risk assessment and other parts of the law. Finally, the law establishes that the business, including executive management, be actively involved in security systems, including regular reviews and an incident response plan.
An important area of security is the assessment of internal and external threats to the security systems. While foreign hackers grab headlines, many data breaches are caused by employees. Some breaches are accidental, and some are intentional. Identifying these threats helps develop an information access plan for employees.
Creating Policies, Procedures, Systems and Programs for Security
Information security starts and ends with the humans touching it, so businesses are required to review and create systems that include policies and procedures.
How is employee access to business information systems monitored, and which parts are on the cloud vs. separated from the internet?
What is the likelihood of a certain threat vector breaching the security systems? How does the business plan on responding if a breach or other threat happens?
Does the business have regular employee preparedness systems (anti-phishing, training on security procedures, etc.)?
Answering these questions will help your business start developing the comprehensive information security program required by Act 2019-98 and create the required written incident response plan. Developing a compliant security system involves several steps: ask more questions, think of attack scenarios, strategize both the best way to prevent said scenarios and to respond to them, and then develop written and practical policies to enact those strategies.
How does this impact an insurance company’s technology?
For companies that do not have an information security system in place, this law may seem difficult, but the risks of data breach are very real, and businesses are liable for personal information even without this law. Insurance companies that follow the law will have a better system than none, and they will be able to show how their compliance with the law absolves them of any charge of negligence.
The law requires that insurance companies have a designated employee or other representative who is responsible for the security program. It also requires that management review the system and sign off on their regular monitoring every year.
For many insurance companies, achieving compliance with this law will be a simple matter of filling out several forms. For those who have not yet faced the real risk of data compromise, more work will be required to stay in business.