Data Breaches: A Major Risk for Financial Professionals

Dealing with cyber threats and staying compliant with government and industry requirements are now inherent risks of doing business for financial professionals. While some insurance and financial services professionals have awakened to this reality, most have significant work to do to protect themselves and their clients.

In today’s digital age, maintaining a formalized information-security plan and staying compliant with federal, state and industry data breach regulations have not only become essential management practices, but possibly a matter of survival, as well.  Here’s why.

Financial industry targeted

The financial industry is highly targeted by cyber criminals because of the valuable personal, financial and health-related information handled on a daily basis, and because brokers and agents are often the most vulnerable and least prepared to prevent or respond to cyber-attacks.

The industry has been rocked over the last two years by an onslaught of data breaches, resulting in well over 100 million Americans’ personal, financial and healthcare data being exposed.  Making things worse, criminals are looking to access larger businesses and their data by targeting insurance, brokerage, financial, legal, and accounting firms.

This is putting increased pressure on the industry to not only meet new client expectations for data privacy, but to also comply with government and industry standards for protecting confidential information.

Regardless of the types of products you provide, your clients expect you to keep their personal and confidential information private and secure.  Business clients in particular are becoming increasingly concerned about security risks with their third-party service providers, and are starting to require agents and brokers to answer lengthy security questionnaires about their cybersecurity and risk-management practices before doing business.

If you haven’t already begun receiving information-security assessments from key clients, including the requirement to sign an information-security agreement, be assured that this is the future of building and maintaining client relationships.

It’s ironic that after years of worrying about “differentiation” and what makes one broker or advisor better than the other, gaining and keeping clients may boil down to a measurable distinction between the firms that might get hacked and the firms that might not.

Brokers and agents who are serious about their business are now taking this expectation seriously, including obtaining security and compliance certifications based on regulatory and industry standards.  Some brokers are now starting to promote this type of security certification in marketing materials and client pitches as a competitive differentiator.

Regulatory requirements

In addition to client expectations for better security, personally identifiable information (PII), such as Social Security Number, date of birth, financial and insurance information, medical information, and other confidential data must be properly protected under various federal and state laws.

Well-known examples of federal laws include HIPAA-HITECH and GLBA that require insurance and financial-services firms to implement safeguards to protect confidential information they handle in the normal course of business in the health-benefits or financial-services markets.  These include insurance and financial-services brokers, as well as agents and producers.

In addition, 47 states have enacted laws that require all businesses to protect the PII of consumers and businesses within the state.  Brokers, advisors and agents in these states, or those who have customers in these states, must comply with the respective state laws or face civil and/or criminal penalties.

Some states have enacted rigorous laws, such as Colorado, California, and New York, where the Department of Financial Services recently implemented new cybersecurity regulation requiring banks, insurance companies, licensed financial professionals and others to establish and maintain a cybersecurity program to protect consumers.  This law applies even to those who do business within the state.

Financial industry standards

Since 2005, SEC and FINRA have required broker-dealers, investment advisers and other financial firms to protect confidential customer information from unauthorized release to unaffiliated third parties (S-P Safeguard Rule 30 (a)).  This includes the adoption of a formalized information-security plan with written policies and procedures for protecting client information.

In light of the increasing number of data breaches in the financial- services industry, it’s not surprising that SEC and FINRA have recently stepped up efforts to enforce fines and penalties on firms whose security controls are lacking.

Additionally, NAIC has consistently advocated for better information security standards for the industry.  In the coming months, NAIC is set to finalize a comprehensive Model Law that establishes the exclusive industry standards for data security and breach response.  This will apply to all insurance licensees, including not just insurers, but agents, brokers and other parties.

NAIC’s model law requires all licensed persons and organizations to create a comprehensive, written, information-security program that details the administrative, physical and technical safeguards for protecting personal information, including a breach response plan.  It would also require owners and boards of directors to approve and oversee implementation of the program and compliance with the law.  The model cybersecurity standards are aimed at encouraging state insurance regulators to incorporate these elements into their regulatory framework.

Cybersecurity and Compliance Best Practices

The development, implementation and ongoing management of your information security plan should follow the standards and best practices outlined in federal, state and industry requirements.

Here’s a checklist to use as a starting point:

  1. Management commitment, creating a culture of security
  2. Conducting regular security risk and compliance assessments
  3. Creating and maintaining information security policies and procedures
  4. Implementing necessary cybersecurity technology and defenses
  5. Conducting regular security vulnerability assessments
  6. Providing security awareness training for all personnel
  7. Managing third-party service provider/vendor risks
  8. Having a breach incident response plan
  9. Obtaining appropriate cyber-liability insurance
  10. Getting third-party compliance certifications

Failure to implement and maintain these essential practices can cost you business and can significantly reduce your legal defensibility in the event of a data breach incident.

Remember that cybersecurity and compliance are not something you “set and forget.” They constitute an ongoing process that must be tested, maintained and updated.

On the road to compliance

Data breaches have created a new business-management responsibility to properly protect confidential information. The first step is to assess where you stand today.  Where are your current vulnerabilities?  What regulatory, legal and industry requirements are you not adequately following or failing to address?

You may have to admit that you are not an expert in cybersecurity or data-breach compliance and may not be qualified to handle this alone.  Your IT staff or a tech-savvy friend may be able to help some, but this is not just an IT issue.  If you do not have the inside expertise in cybersecurity and compliance management, get outside help.  You may want to consider outside experts anyway, as they likely have more experience and a broader array of tools and resources.