PropertyCasualty360.com has a post up on its site today that features a question-and-answer session with Troy Stairwalt, chief information security officer of Westfield Insurance. I encourage you to read the entire article, but here are some excerpts I want to emphasize:
"Here are three common ways an agency is most likely to be caught in a cyberattack:
- Ransomware
- Supply chain management
- Third-party vendors
All three represent real cyberthreats to agencies for several reasons including:
- Increase in cyberthreat activity;
- Increasing regulatory requirements and repercussions; ...
- New requirements simply to be eligible to apply for cyber insurance coverage. ...
Industry, state and federal regulations have been — and will become — increasingly onerous in response to cyberthreat level activity, which incidentally, since the pandemic, has consistently been at all-time highs year-over-year.
This means agencies will have to adhere to regulations or face repercussions, including fines and penalties. These regulations will require agencies to know where their sensitive data resides and who has access to it. Agencies will also need to show that they have implemented reasonable and prudent controls to effectively manage the risk and demonstrate adherence to regulatory requirements. Multi-factor authentication is simply table stakes in 2022. Expect those stakes to increase. ...
The first thing agencies should know is that cybersecurity does not have to break the bank. There are cost-effective ways to protect against a breach. ...
- (Agencies) are more likely to get caught up in a net as collateral damage, versus directly targeted. ...
- One of the most-effective ways to mitigate the risk is security awareness. Train employees so they’re not susceptible to social engineering attacks. Phishing and voice and/or text 'phishing' scams are all too prevalent in 2022. ...
If agencies don’t have multi-factor authentication implemented, it’s unlikely they will even be considered for cyber insurance coverage. ..."
There's a lot more, and I again encourage you to read the entire piece. Suffice to say that, even if states were not implementing insurance data security laws and regulations (Kentucky became the 21st state to do so last month,) cybersecurity would not be optional.
To learn more about New York's Cybersecurity Requirements For Financial Services Companies regulation, consider purchasing and downloading Big I New York's CE On Demand course, 10 Things to Know about the NY Cybersecurity Regulation. If you pass the accompanying exam, you will receive two hours of New York continuing education credit.
Also, network security consulting firm Motiva offers Big I New York a free, no obligations cybersecurity audit. Contact them to learn more about what you can do to protect your computer systems and your clients' private information.