News headlines continue to remind us about organizational vulnerability to data breaches. Although retailers and hotel chains have suffered the most in terms of lost customer confidence, virtually every enterprise has exposure to the backlash from anyone who may feel betrayed.
In recent weeks, for a study I am writing, I interviewed 18 experts from a variety of companies and government agencies regarding threats by those who feel they may have had their personal information stolen. In doing so, we seek to build a better understanding of non-weapon-based threats in which your receptionist, an agent or anyone in your insurance practice who interacts with others could realize that data was lost or stolen. In very rare cases, an angry client can begin to threaten an agent, a general agent or even a chief executive officer. The time to think about how to react to such a situation is now.
Again, purely through the lens of ensuring that client data is protected and that you are ready if there is an intentional breach by a third party, here is what we have learned:
If your broker/dealer or underwriter has offered public assurances of cyber resiliency, you should be aware of past pledges and promises made. The Wall Street Journal recently criticized the CEO of Target for arguing against the “chip in a credit card” process that is increasingly being adopted by Visa, MasterCard, American Express and other card issuers. Now the CEO is encouraging retailers who have their own card, such as Target, to adopt the technology. It took a seismic embarrassment for him to reach that conclusion, and the Journal called him on it.
Any client, especially one contacting a property/casualty agent after an accident or tragedy, can be emotional and could express hostility, especially to a claims representative. Most people are venting after the loss of a home or boat and are waiting to get their life restored. Threats against life insurance agents are incredibly rare. However, when you (or your B/D) must notify hundreds or even thousands of clients of a potential data breach, life will change. Besides the “jerk” who is mouthing off, the hostile client may include a member of your church or synagogue, a soccer mom or dad, a National Guardsman, or an AARP member. This is new territory for many insurance agents who must ponder: “Do I say I’m sorry? Does that assume liability? How can I explain a data breach when I don’t even know if the data will ever be used to the detriment of a client?”
Your team should be ready to discuss and should have a plan to:
» Have standby statements if client data were lost or stolen. This includes a list of frequently asked questions and answers that can always be modified based on the incident.
» Have a brief email ready for delivery to clients once you are informed and receive approval from your B/D about communicating. Research by the Ponemon Institute suggests that companies that have been targeted in a data breach knew about it for 10.9 days on average before that organization enacted a meaningful response. In a world of “now,” this is unacceptable.
» Be ready with a “shadow website” that would be placed parallel to your agency’s website with updates on how to contact LifeLock or other security companies and how to report any questions or concerns to authorities in the event of a massive breach announced by any of the companies with whom you write business.
The time to seek approval on wording from compliance will not be when Fox News or CNN announces the breach. While your home office will push back and say, “We have that covered,” it will not be able to take your calls when a national story unfolds. Make the home office staff earn their salaries now.
» Review your errors and omissions and directors and officers policies now to determine what exposure you may have if there is a data breach. Remember that employee data within your human resources database is as potentially exposed as client or underwriting information. Separate information technology coverage is available to most insurance professionals from your underwriter. The cost of that coverage, while high, will likely only surge in the next year. My recommendation is that you consider locking in a rate for a multiyear policy from a quality carrier. Negotiate hard, as prices vary widely depending upon the number of policies you have within your practice.
Charisma is a quality but it is only one of several needed in order to be instrumental in guiding your practice through a storm. Think about an airline pilot who is aware of storms around him. He turns to the co-pilot and must consider not only Federal Aviation Administration and weather data but also what he sees and observes. The co-pilot, looking at the same radar screen, says that she is aware of what other pilots are saying and that a change in plans is prudent.
That is precisely what is happening in the insurance industry. The radar screen is showing us situations in other industries. You’re the pilot.
Now act like one and get us around, and through, this storm.