As cybersecurity and data privacy regulations become more commonplace and demanding, insurance brokers can play a key role in helping customers avoid the risks of noncompliance.
By Bart Shachnow, Head of Zurich Academy and Sales Performance Director, Zurich North America
We all know that cybersecurity is a top concern for all of our clients, regardless of the size of the business they’re in or the industry in which they operate. We also know that all entities are vulnerable, and are successfully preyed upon by hackers, whether they are Fortune 500 companies, national security agencies or a corner grocery store.
The insurance industry has developed many products and services to help protect our clients against data breaches. But the industry hasn’t done a good job helping them focus on cybersecurity and data privacy regulatory and legislative risk.
- Regulatory risk relates to a company’s inability to comply with laws or mandates.
- Legislative risk relates to the potential for current or prospective laws or regulations to adversely impact a company’s business prospects and/or ability to compete.
While of course you should not engage in the unauthorized practice of law or advise clients on legal issues (unless you are licensed to do so), making your clients aware of risks they face and how to manage them is definitely part of your job description. This is increasingly important as it applies to cyber-related issues.
Let me explain why this is true and the role you can play in helping clients address cyber and privacy-protection regulatory and legislative risks:
1. Privacy and data protection laws are on the increase and are being enforced more aggressively. As our lives grow increasingly dependent on online activity and the Internet of Things, our vulnerability is also increasing. Legislators and regulators are paying attention and responding accordingly, with more regulations and stricter fines and penalties for noncompliance.
2. The legislative and regulatory environment varies widely by country and region. The European Union (EU) has enacted a data privacy law in the General Data Protection Regulation (GDPR), which is applicable throughout its member states. Thus, one law and one standard apply. It is exactly the opposite in the United States, where there is a hodgepodge of different laws governing privacy, including but not limited to the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act, Fair Credit Reporting Act, Electronic Communications Privacy Act, Video Privacy Protection Act, Children’s Online Privacy Protection Rule, etc. And these are just at the federal level. Nearly all states have also enacted their own data privacy laws.
3. GDPR and CCPA are not the “only games in town.” When I speak with brokers on this topic, the two data protection and privacy laws that come up far more often than any other are the GDPR and the GDPR-inspired state law known as the California Consumer Privacy Act (CCPA). One would think that those are either the only, or the most important, privacy acts in the world. This is patently false. Most countries have their own data protection and privacy laws, and some are even more stringent than the GDPR and CCPA. And while the CCPA was the first major, comprehensive state privacy law, other U.S. states have followed suit with equally comprehensive data privacy laws (see especially the Virginia Consumer Data Protection Act and the Colorado Privacy Act — both laws passed this year and are scheduled to go into effect in 2023).
4. Ignorance of the law is no excuse. Your clients are well-advised to abide by this time-worn maxim. A company could be unwittingly subject to data protection and privacy laws that are in place in states and countries other than those in which it is headquartered or operates. And those laws may be radically different. In the U.S. alone, states have widely different laws concerning the definition of a data breach, when and to whom it must be reported, how customers must be notified of breaches, and fines and penalties for noncompliance. Not knowing the regulations is not an adequate defense.
5. Practical, cost-effective solutions to manage regulatory and compliance risks are available. There is an abundance of guidance on standards, policies and procedures that can help companies manage cyber risk. An excellent example is the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The Framework offers industry standards and best practices designed to help organizations of all sizes identify cybersecurity risks and vulnerabilities, and how to reduce these risks with strategies suitable to the size, resources and expertise of different organizations. Help your clients integrate cyber risk management into their overall enterprise risk management framework.
6. Cybersecurity and privacy law compliance is an underwriting issue. Cyber underwriters are evaluating a company’s awareness of, ability, and commitment to comply with current and increasingly demanding cybersecurity and privacy rules and regulations. Companies that can demonstrate their compliance policies and procedures, their alignment with current and prospective data privacy laws, and that such policies and procedures are understood, enforced and embraced throughout the organization are better underwriting risks. As a broker, you have a vital role to play in making your clients aware of regulatory and legislative risks and how they can comply. Your success will put your client in a better position to secure broader coverage at a more favorable price.
As always, I welcome your comments and questions. Please reach out to me at email@example.com.
Bart Shachnow, CFP®, CLU, ChFC, CPCU, is Sales Performance Director at Zurich North America and Head of the Zurich Insurance Academy training programs. Bart works with a variety of stakeholders, including Zurich colleagues, as well as distributors and customers, to develop and share information, ideas and strategies that can help these internal and external audiences perform more effectively and productively.
The information in this publication was compiled from sources believed to be reliable and is intended for informational purposes only. All sample policies and procedures herein should serve as a guideline, which you can use to create your own policies and procedures. We trust that you will customize these samples to reflect your own operations and believe that these samples may serve as a helpful platform for this endeavor. Any and all information contained herein is not intended to constitute advice (particularly not legal advice). Accordingly, persons requiring advice should consult independent advisors when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication and sample policies and procedures, including any information, methods or safety suggestions contained herein. We undertake no obligation to publicly update or revise any of this information, whether to reflect new information, future developments, events or circumstances or otherwise. Moreover, Zurich reminds you that this cannot be assumed to contain every acceptable safety and compliance procedure or that additional procedures might not be appropriate under the circumstances. The subject matter of this publication is not tied to any specific insurance product nor will adopting these policies and procedures ensure coverage under any insurance policy.