In the spirit of Tech-Tock, I’m going to discuss cyber security from a compliance perspective. This is still about technology and does have a sense of urgency for financial services professionals. The trend I’ve witnessed for the last few years is pushing downward into the supply chain—compliance. Cyber security companies believe they have a good handle on defensive, layering, real-time protection, and that the problem today is pushing down into the supply chain and continues to close vulnerabilities.
Technology-wise the movement here is “Trust No One” when it comes to securing data and data access. The day is coming soon where two factor log-ons will be required for everyday users. Two factor access starts with your typical login and a strong password, you know, the one you never change. The system will then send you a code (i.e., text message, email, phone call, fob code, etc.) which you will enter into your log-on process and you’re in. As you move deeper into IT Land you see a group of professionals that keep that cyber world running and have all the keys to the kingdom. Not trusting them is taking shape in third-party key vaulting; companies have a key and the D3P have a key and to decrypt the data requires both parties to participate. Layers.
So these Cyber professionals mentioned previously believe technology in the market today, when properly deployed and maintained, can protect confidential information. They claim today’s vulnerabilities are those businesses that let their partners into their world in various degrees that pose the threat. Making their case over time in many forums has created more compliance and is pushing deeper into the supply chain. This has produced the recent rollout of the European Union’s General Data Protection Regulations (GDPR) which added some user rights and big fines. The most popular user right is the ability to have your personal information destroyed after use. When this hits the U.S. hang on! Revenue models will implode—no more data markets. California has just released their new state law in effect killing the data resale market. Fines that start at 20 million EU and can go as high as four percent of the company’s EU revenue has everyone’s attention.
Privacy and identity protection is also beginning to hit some current technology we use today—E-Signing, the backbone of the E-App initiative. Case law has taken a turn whereby judges are not accepting login and password as adequate for signer authentication. In two 2016 cases the California courts ruled that login and password were insufficient evidence to prove identity. After a decade of identity theft, who can trust anyone’s documentation. Courts want more evidence to authenticate— like adding biometric to the signing event (e.g., voice signatures and video signing).
So, what does that mean to the brokerage and agent community? More compliance. In my experience, the BGA/agent was not a real threat because regulations had a high threshold before you needed to report and execute a breach event. The trend today is that these thresholds are falling fast and breach level record counts of 50,000 or more are dropping to 500 or more (NY DOR Regulation 500). So, the world of compliance is descending upon the BGA/agent community.
This means significant change for many BGAs and agents and the way they look at cyber compliance “peer apathy.” The “because the majority of your peers don’t spend the resources on compliance, so why should you” mentality is over. You’ll know it’s over when you get your first request for your annual SOC2 Type2 audit report. I know because I receive many calls these days asking me: “What is a SOC2 audit and should I care?” Service Organization Controls testing level 2 covers internal financial, human resources (SOC1) and cyber security controls. Type 2 means the audit period is the past 12 months of records demonstrating your compliance to the subject controls. Controls are cyber practices, HR screening, threat training, data protection and access to confidential information safeguards. I usually respond to the SOC2 phone question with a typical 200 Control questionnaire and ask the caller to self-assess.
This is where the story gets interesting. The next call usually starts with, “I don’t do any of this, I don’t have a Chief Security Information Officer.” If you’re the principle of the organization, you’re now the CSO. The next question usually is, “I outsource all my computing needs (i.e., hosted CRM, hosted AMS, hosted document management, etc.) so why do I need to do this?” Simple. The regulations make it clear that you can outsource your technology—but not your responsibility—to third parties. Outsourcing is good because your vendors can provide their SOC2 Type2 audit reports, which provide oversight requirements of all your vendors and can serve many answers to the control questions, leaving about 100 controls to go. Now the SOC2 audit focuses on how your organization interacts with the hosted solutions. Auditors will want to review your cyber security policies and procedures on how you manage, background checks, least privileged access, incident reporting, disaster recovery, social media conduct, hard drive destruction, email encryption and so on. Just because you outsource your technology does not relieve you of conducting a third party SOC2 Type 2 audit.
The cyber world and government regulators believe today that if everyone in a supply chain of confidential information conformed to cyber compliance, identity theft would be greatly reduced. Well now, what do I do and what’s it going to cost? Let’s start with, if you’re a home-grown solution, a third-party PEN test (about $15,000-$30,000). Next, find a law firm which provides breach services and internal SOC2 control consulting (about $25,000 to $50,000). This law firm serves two purposes—preparing your control (i.e., budgeting) remediation plan and they would be the first phone call to make if you have evidence of or suspect a breach. Remember, a breach is unauthorized access to confidential information (i.e., lost notebook with no disk encryption, unencrypted email traffic, terminations that walkout with their shadow files, not shredding paper files, etc.). When using penetration testing, you are basically sanctioning an authorized breach in order to identify areas of vulnerability in a network. When you’re ready, a SOC2 audit (about $20,000 – $50,000) every year. What makes it more expensive is the fact that, in the life insurance world, you’re subject to HIPAA and PCI audit requirements which are separate from SOC2 audits. I really think life insurance is the most expensive group when it comes to compliance cost because of the information you manage. Once you have your SOC2 audit complete, now you can get Cyber Insurance. Cyber insurance companies generally want a complete SOC2 audit so they can underwrite your risk. With a good report expect to pay around $10,000-$20,000 annually for $2 million to $3 million in coverage.
Independent agents should review their E&O insurance and expand coverage for the risk they have access to and engage in personal encryption solutions (i.e., encrypted notebooks/computing, communications archiving, email encryption and password management tools). Agents working from PC-based computing at home should consider virtualizing (e.g., VMware Desktop) their business computing, separating their work life from their family or personal life (around $2,000-$3,000).
Well there you have it. The train has left the station and the trends discussed above are coming soon to a BGA/agent near you. Some call it the cost of doing business…I think it’s just seat belts on an airplane. Welcome to the party, Hans.