Media Center

FAIA and Industry News

It’s Time to Take IT Security Seriously

 Permanent link

By Paul Peeples
FAIA Vice President & CIO

Ever since Citizens started requiring a Written Information Security Plan (WISP) FAIA started looking to backfill a vacancy in the area of Managed Service Providers (MSP), and Cyber Security experts. This was no easy task since we were not provided an example of an acceptable WISP. Admittedly, technology significantly contributes to the ease of data collection and reduces the time required to write and service policies, but these improvements create risks and exposures of their own that evoke a potential catastrophe for agents if not addressed properly.

After researching several potential providers, the FMS Board vetted a company called VineIT to  fill the need of our members. This is a Florida based company that specializes in not only Managed IT services, but Cyber security too, and can help you be compliant with Citizens requirement (which is also being looked at by NAIC)!

Most agencies have tried to manage their own hardware, software, and security. This is a landscape that is changing rapidly, and one little mistake can cost your agency big. How big? Statistics show that 50% of small and medium-sized business have suffered a cyber-attack in the last 12 months (through YE 2016) – this is only going to increase. Also, the U.S. National Cyber Security Alliance found that 60 percent of small companies are unable to sustain their businesses over six months after a cyberattack. According to the Ponemon Institute, the average price for small businesses to clean up after their businesses have been hacked stands at $690,000. Oh, and for middle market companies, it’s well over a million dollars.

OK…now that I have spooked you, and you should be (since this is some serious stuff), what do you do?  Below is a list of key strategies you should consider very seriously when it comes to your agency’s protection and cyber security.

  • Network Security Assessment: Every compliance standard recommends that a third party perform this type of analysis, and not your IT team. Many lenders even require it. This is basically a comprehensive assessment of your network that tests your core systems using National Institute of Standards and Technology (NIST) framework based security analysis (800-53). This is like the starting point for everything. Wouldn’t you or your IT team want to know how healthy your IT environment is?
  • Risk Assessment/Vulnerability Analysis and Remediation: This is a comprehensive area where basically “ The Good Guys” try to hack your systems from inside, and outside your organization using real world exploit type frameworks to find potential vulnerability exploits. The internal testing uses OpenVAS and the Metasploit framework…The what??? Suffice it to say, it is the most widely adopted exploit framework in existence that test your systems!
  • Security Policy and Procedure Creation: Here it is… the creation of a Written Information Security Policy (WISP) which defines exactly how the organization is accomplishing your security policy objectives. This is the living document that states in writing how your agency plans to protect your physical and information technology (IT) assets as well as safeguard the data they collect. This must detail your agency’s operations on security, governance, inventories, controls, continuity & disaster planning, systems monitoring, and internal/external mitigation policies.
  • Security Procedure Auditing: This is an ongoing process. That ensures your procedures are being carried out as defined. You do not want to attest to practices you are not following through on.
  • Security Program Updates: Be sure to regularly update your Policies, Procedures, Risk Register, and Employee Training materials as your environment changes.

OK, so that was a mouthful, and I am sure your eyes are glazed over a bit, but make no mistake, this is very serious stuff, and sorry to tell you this…it’s only going to get worse. Cyber Crime is big business, a fifty billion dollar a year business!

If you don’t have someone helping you in this area, and need some assistance, you can contact VineIT, an FAIA Member Services preferred provider. 

The Agent's Role in Workers' Compensation

 Permanent link

Special to FAIA by the Workers' Compensation Institute 

Far too often, the insurance agent’s role in workers’ compensation has been viewed only as a means of obtaining mandatory workers’ compensation coverage for the Florida employer. When an accident occurs on-the-job, the only personal contact that an employer has with the case is with the insurance agent, and, far too often, the agent’s advice to his customer is to call the claims office for the insurance company.

WCI Conference Logo 
See breakout sessions for agents

For the true professional insurance agent who really is concerned about his customer’s interest—whether it be pricing of premiums payable, types of coverages, prevention of accidents, or handling of claims or just providing much needed general advice to the employer—simply referring the employer to the insurance company provides a great disservice and often adds costs to the ultimate liability of the employer.

This year’s focus at the Annual Workers’ Compensation Conference, sponsored by the Workers’ Compensation Institute is to present two days of breakout sessions for agents/brokers emphasizing the insurance agent’s primary position in making any workers’ compensation system work. The conference takes place August 6–9 at the Orlando World Center Marriott.

Agents play a very significant role in the workers’ compensation system. Agents breakouts will address topics such as: What exactly is the role of the agent/broker in claims handling? What does the claims handler depend upon the agent to do, and what role can the agent play in assisting in the defense of a claim? What role should the agent not assume?

On the other hand, how does the agent fit into the general risk management program of any employer? For a proactive agent, there is unquestionably a significant role in the pricing of workers’ compensation coverages, and helping the risk manager to appreciate how ultimate costs can be reduced by choosing the appropriate coverage and ensuring that the appropriate premiums are paid. Advocacy in regards to the interest of the insured employer is an essential function of providing value added to the employer’s interest and oftentimes contributing significantly to bottom line profitability of the employer.

Together, FAIA and NCCI will provide the most comprehensive educational session for agents/brokers interested in professionalism in the workers’ compensation industry that is available.

A complete program of the agent/broker breakout sessions and the program of the conference as a whole is available online.