Ethics & Insurance: Producer's Responsibilities to the Insured

Ethical Sales Practices for Producers

-A producer calls on a prospect for one reason to offer a product or service that will benefit the prospect in some way. -An agent must sell the kinds of policies that will best fit the prospect's needs in amounts that the prospect can afford to pay. -No one profits if a prospect is coerced or misled into buying too much insurance or purchasing coverage that doesn't suit that prospects needs. -Before a prospect becomes a policyowner and transitions into a client an agent follows 2 basic rules: 1. Make sure the product matches the needs of the prospect. 2. Provide continued service to the client.

Implement Appropriate Cyber Security Measures that Include:

-Access limitations -Multi-factor authentication -Encryption of nonpublic information during transit and on portable devices. -Intrusion detection mechanisms. -Audit trails. -Data retention and disposal practices. -Disaster recovery and business continuity plans.

Suitability Information

-Age -Income -Financial situation and financial experience -Needs and Objectives -Risk tolerance -Tax status

Cyber Attack is the Top Most Risk for Businesses

-Any company that stores or deals with large volumes of personal data relies on technology to operating at a high risk for being the victim of a cyber attack, any company that is connected in any way to the internet is at risk. -Companies that use computer connected to the world wide web should invest in cyber liability insurance. -The cost for a business to recover from a data breach, virus, or other cyber attack is covered by a cyber liability insurance. -It also covers legal claims resulting from a breach. -Basic cyber liability coverage will only sometimes be provided by a general liability insurance policy or professional liability policy, but any business particularly a business that stores personally identifiable information for employees or customers, should seek out a standalone or enhanced cyber liability insurance policy. -Corporations have had major cyber attacks that have been publicized but small businesses are particularly vulnerable to this type of attack. -They lack large technology departments and IT staff and cyber liability insurance helps them respond effectively to recover from a breech, it covers any revenue lost as a result of the breach, and helps them quickly resume business and move on.

Network Business Interruption

-Any organization that depends on technology to operate is at risk to be a victim of a cyber attack. -Companies that face a risk that will impede their ability to operate will want to be insured under network business interruption coverage. -Network business interruption coverage can help a company recover lost profits, fixed expenses, and extra costs incurred during the time that their business was impacted when their network was down. -This includes any loss arising from security failures, such as a third party hack or system failure, such as a failed software patch or human error.

Cyber Insurance Exclusions

-As with all insurance policies, it is important to understand the exclusions. -Cyber insurance policies generally do not cover: *Potential future lost profits. *Loss of value due to theft of your intellectual property. *Betterment: the cost to improve internal technology systems, including any software or security upgrades after a cyber event.

Privacy Liability

-Customer and employee information is sensitive. -Breaches or violations that expose such data threaten the security of those compromised and expose businesses to liability. -Privacy liability coverage can help a company protect itself from labilities arising out of a cyber incident or privacy law violations.

How Other Policies Are Impacted by Cyber Risk

-Cyber risk takes may forms. So can the insurance policy for a cyber incident. -Clients should be aware that just because they have other policies that may be activated in the event of a cyber incident, there are probably gaps around which damages a policy will actually pay. -It is important that the producer make the client understand where an what those gaps are and more importantly what cyber liability insurance would do to cover those gaps.

Risk Assessment Under the IDSL the Licensee Must:

-Designate one or more employees, an affiliate, or an outside vendor designated to act on behalf of the licensee who is responsible for the information security program. -Identify reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration or destruction of nonpublic information, including the security of information systems and nonpublic information that are accessible to or held by third party service providers. -Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of the nonpublic information. -Assess the sufficiency of policies procedures, information systems, and other safeguards in place to manage these threats including consideration of threats in each relevant area of the licensee's operations including: *Employee training and management, information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal. *Detecting preventing and responding to attacks, intrusions, or other systems failures. -Implement information safeguards to manage the threats identified in its ongoing assessment and no less than annually, assess the effectiveness of the safeguards key control, systems and procedures.

The Insurance Data Security Model Law Requires Insurer to:

-Develop, implement, and maintain a comprehensive, risk based information cyber security program. -Implement appropriate cyber security measures. -Have a Written cyber incident response plan. -Report cyber security events. -Train employees in cyber security. -Involve the board of directors. -Conduct planned cyber security assessments. -Oversee vendors. -Certify compliance annually.

Errors and Omissions Insurance is not Equal to Cyber Insurance.

-E&O is designed to protect professionals in service based businesses, like lawyers, accountants, doctors, consultants, and insurance agents. It covers legal accusations of negligence, preventable mistakes, incompetent work and other professional errors. -Technology E&O is designed to protect providers of technology services and products, such as website designers, computer hardware and software manufacturers and firms that store corporate data on an offsite basis. It covers lawsuits when a client sues over a data breach on their network, attorney fees, court costs, settlements or judgments, miscellaneous lawsuit expenses, other. -Cyber Liability Insurance is designed to cover consumers and producers of technology services or products, and companies that handle sensitive information. It has first party coverage: protection for the data you own. It has third party coverage: protection for liability associated with you customers data. It covers costs to respond to a breach that may include: Investigation, notification, crisis management, credit monitoring, PR counseling, other first part and third party costs.

Formal Training on Cyber Attacks

-Ensure that policies and procedures relating to cyber security are clearly communicated to staff (concerning work computers and networking devices: checking person e-mail, downloading files, plugging in unauthorized USB thumb drives etc. are strictly prohibited). -Adopt an effective e-mail security solution: More than 90% of malware are transmitted via e-mail, which is the most common channel for business communication. -Invest in IT personnel/consultants with strong cyber security backgrounds and who are constantly abreast of developments in cyber security and related fields to provide sound recommendations on how to deal with new threats. -Insurers should formulate a sound response plan including incident management (such as when and how to tell their customers), damage control to protect and recover their other assets in the event of a breach, how to respond when a staff member discovers a breach, who to inform, etc.

Errors and Omissions

-Errors and omissions coverage can protect a business if a cyber event keeps it from fulfilling its contractual obligations and delivering services to its customers. -Claims arising from errors in the performance of or failure to perform services would be covered under errors and omissions insurance. -This can include technology services, like software and consulting or more traditional professional services, like lawyers, doctors, architects, and engineers. -Errors and omissions coverage addresses allegations of negligence or breach of contract should this occur and can include legal defense costs or indemnification resulting from a lawsuit or dispute with your customers.

Fiduciary Duty

-If fiduciary funds are received by a licensed producer, he/she must: *Remit and return premiums received to the insurer (minus commissions due). *Maintain fiduciary funds at all times in a trustee bank account separate from any other accounts, in an amount at least equal to the premium. *Return premiums that are received by the producer and/or unpaid to the person entitled to those funds. -The responsibility of the licensee is to transfer the funds to the appropriate party as soon as practicable.

Stake Holders in the Cyper Security World

-Insurance providers, risk management professionals, social scientists, information technology experts, and critical infrastructure owners and operators are all considered cyber security insurance stakeholders. -These are people whose work would all benefit from a larger a more all encompassing cyber security insurance market.

Have a Written Cyber Incident Response Plan that Include:

-Internal response processes. -Clearly defined roles and decision making authority. -Managed internal and external communications. -Incident documentation procedures. -Mechanisms for post incident revision and remediation.

Managing General Agent

-Is a licensee with the fiduciary capacity and the authority to transfer received funds to the appropriate party. -Has a written management contract and an appointment with one or more admitted insurers that cover a substantial portion of the insurance business in the state. -Manages transactions of either all or some classes of insurance for those insurers. -Appoints, supervises and terminates the appointments of local agents. -Accepts and declines risks. -Collects premium funds from producing broker-agents and remits the funds to the insurers.

Professionalism

-Is a person in an occupation requiring an advanced level of training, knowledge, or skill. -Producers are required to perform in a professional manner at all times. -Being professional means placing the public's interest above your own in al situations. Any deviation could result in a penalty. -A professional agent can meet his/her ethical responsibilities to an insured by fulfilling the customer's needs and providing quality service.

Suitability

-It is a producer's responsibility to evaluate the consumer's suitability information to assess how well various recommended products/services will meet a client's needs and resources.

Oversee Vendors

-Licensee must exercise due diligence by vetting vendors prior to onboarding and must contractually require vendors to implement appropriate safeguards to protect nonpublic consumer information and information systems. -If a cyber event occurs within a vendor's systems, licensees must launch an investigation to gather information about and document the event.

Media Liability

-Media liability coverage provides coverage for intellectual property infringement resulting from advertising. -It is specifically designed to protect media related organizations, such as publisher, broadcasters, advertising agencies, and video or film producers against common media and entertainment related liability risks. -This coverage addresses the exposure that exists when a company releases electronic media on their internet site or print media. -It also covers anything posted on a company's social media. -Because it deals with content liability, it is usually included in cyber liability insurance policies. -This coverage can cover losses from: copyright infringement, plagiarism, verbal or product disparagement, breach of implied contract, breach of license agreement and/or breach of product placement agreement, unauthorized use of material, trademark or names, invasion of privacy, defamation, libel, and slander. -This type of coverage does not protect against patent infringement.

Needs Based Selling

-Most agents recognize that selling to fit needs is the best approach to the products and services that they represent. -They know that specific types of insurance policies are designed to meet specific needs, so matching policies to the appropriate needs produces the maximum benefit to the policyowner. -They know that needs selling involves problem analysis, actin planning, product recommendation and plan implementation. -This requires 2 important commitments on the agent's part: 1. Obtaining and maintaining the knowledge and skills necessary to carry out those tasks. 2. Educating the prospect or client about the products and plans that may be implemented.

Report Cyber Security Events to the State Insurance Commissioner

-Must be reported if the state is the domicile (home state) or the compromise of nonpublic information of at least 250 state residents requires reporting pursuant to another applicable law, or creates a reasonable likelihood of material harm to a consumer or business operations. -Reporting must occur within 72 hours of discovering the event. -Licensees must retain for 5 years all records concerning a cyber event, and must make those records available to the commissioner upon request.

What Cyber Insurance Covers

-Network Security -Privacy Liability -Network Business Interruption -Media Liability -Errors and Omissions -Cyber Insurance Exclusions

Insurer's Best Data Practices

-Network Security Monitoring Solution-this type of computer security runs all day everyday, and monitors factors like network traffic logins, and general activity, and sends and alert when there is any questionable activity that may require investigating. -Vulnerability Scanning-hones in on finding security holes that cyber attackers could exploit. This allows you to resolve any issues before hackers can use them to infiltrate your systems. -Multifactor authentication-this method of authentication the identification of the computer user prevents access to a network until the computer user has presented two or more pieces of evidence to prove who they are and that they are allowed to have access to the website, computer program, or information they are attempting to access.

Why Cyber Liability Insurance is Critical for Businesses

-Organizations store and deal with large volumes of personal data and rely on technology to operate; this alone is enough reason to buy cyber liability insurance. -When you work in a highly regulated industry like healthcare or finance, they must be in compliance with data security provisions or face stiff fines and serious penalties. -Regardless of industry, cyber liability insurance has become a contractual requirement as well as a part of due diligence.

Insurance Data Security Model Law (2017)

-Passed by the National Association of Insurance Commissioners. -Created rules for insurers, agents, and other licensed entities covering data security, investigation and notification of breach. -This includes maintain an information security program passed on ongoing risk assessment, overseeing third party service providers, investigating data breaches, and notifying regulators of a cyber security event. -It requires licensees to investigate a cyber security event and notify the state insurance commissioner of a cyber security event. -It also grants insurance commissioners the power to examine and investigate licensees security deficiencies they fiend during an examination.

Requirements Under the IDSL a Licensee's Information Security Program Must:

-Protect the security and confidentiality of nonpublic information and the security of the information system. -Protect against any threats or hazards to the security or integrity of nonpublic information. - and the information system. -Protect against unauthorized access to or use of nonpublic information, and minimize the likelihood of harm to any consumer. -Define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction when no longer needed.

The duties of a producer to his/her client

-Provide adequate coverage. -Provide proper legal notification. -Place business on the best possible terms for the client. -Investigate carrier stability. -Give correct coverage options related to the insurance. -Other duties as determined by te courts.

Quality Service

-Service is a primary function of the insurance industry. -The way that service is provided often determine the agent's future, since clients are a good source for future sales and references.

Agents Fiduciary Responsibility

-The agent is legally obligated to perform his/her duties in an ethical manner. -An agent who agrees to obtain coverage for a client is obligated to exercise the same degree of care as would be expected from a reasonable, prudent and competent professional in the field.

Client Loyalty

-The agent owes the policyowner the same degree of loyalty that he/she provides to the insurer. -The agent is also responsible for ethical behavior regarding full disclosure, confidentiality, the timely submitting of all applications, and prompt policy delivery.

Develop, Implement and Maintain a Comprehensive, Risk Based Information Cyber Security Program

-The program must encompass administrative, technical, and physical safeguards to protect nonpublic consumer information and the licensee's information systems. -The chosen safeguards should be commensurate with the size and complexity of the business, as well as responsive to the risks identified during regular risk assessments.

Knowledge and Skills

-The relationship between the professional insurance agent and the prospect is usually built upon the prospects trust in the agent's knowledge and skills. -The policyholder relies on the agent to provide informed options and trusts that the agent's recommendations for insurance are in the client's best interest. -The agent has an obligation to ensure that this trust is justified. This means that he/she has the ethical responsibility to obtain the necessary knowledge and skills needed to evaluate and service the insurance needs of the clients. -An agent must also keep his/her base of knowledge and skills current. The agent must be committed to a program of continuing professional education. -Professional implies that the individual possesses knowledge and skill. If the agent feels that he/she is not properly trained to perform the needed service, then another professional should be called in to assist. -Agents should be competent professionals with a high degree of technical knowledge so that they consistently match a prospect's need with the appropriate solution.

The Producer Serves the Best Interests of Both the Client and the Insurer.

-Their interests actually align at specific points and are not actually in conflict. -The clients have needs that require coverage and the Insurer is willing to take a calculated risk to provide coverage for the clients needs. - By promoting the concepts that insurers stand for an selling the appropriate products in a competent, professional manner, the agent meets the needs of boht

Cyber Security the Insurer's Responsibility

-Transactions of funds must be dealt with in a securely. -Highly sensitive information and PII from employees and customers must be secured.

Cyber Lability Insurance Buying Guide

-With New Cyber threats emerging daily hitting every size organization from small businesses to the federal government. -Those who are not considering how to address these threats may be forced to face serious situations leading to financial crisis even ruin. -For a new buyer of cyber coverage, the assessment and buying process can be intimidating. -Cyber coverage comes in two types of policies: packaged policies and standalone policies.

Why Cyber Liability Insurance Is Needed

-With rapidly changing technology and increasingly aggressive and capable hackers, cyber security defense strategy is not enough it can't be guaranteed to be completely effective by itself. -Any person or entity who uses e-mail, social media or mobile technology is vulnerable to a cyber attack. -A vast amount of sensitive and important information can be targeted and revealed through e-mail scams or ransomware attacks. -Most business and individual do not have cyber insurance and will not have adequate resources to survive the financial damages of a cyber attack.

Responsibilities in Regard to Cyber Security

1. Cyber Security Insurance 2. Coverage for Businesses 3. Insurance Data Security Model Law Regarding Rules for Insurers. 4. Insurer Responsibility

8 Reasons to buy Cyber Liability Insurance

1. The organization holds a large volume of personal data subject to state specific data breach laws. Cyber insurance helps cover costs to comply with state, federal and international laws after a breach. 2. the company is reliant on technology to operate its business can become particularly vulnerable to ransomware rendering it unable to do business the resulting impact can be mitigated through cyber insurance. 3. The company needs to comply with regulations; especially if they are in the healthcare or financial industry both must have data security provisions and are subject to fines and penalties for compliance violations. Cyber insurance covers regulatory fines and penalties. 4. It is a contractual requirement. Many contracts with vendors or clients require cyber insurance to be in place prior to executing the contract. 5. It is protection when cyber security fails. No cyber security is impenetrable, so cyber insurance is an important safety net to have in place. 6. It is a turnkey incident response plan: Cyber insurance policies come with a team of vendors that specialize in incident response, including: legal counseling, IT forensics, consumer notification, on demand call centers, and public relations specialists. 7. It's part of the company's board of directors' due diligence. With due diligence to their oversight role in the company many boards see cyber security and cyber insurance as necessary components for safeguarding the company. 8. Pre loss services are included as part of the insurance policy. Many cyber insurance policies come with pre loss risk mitigation services; these security tools and best practices can offset security spending and provide significant value, particularly for small to medium businesses.

Involve the Board of Directors

A Licensee's board of directors is ultimately responsible for overseeing the information cyber security program. The board must receive an annual report on the over all status of the security program.

Network Security

A Network Security coverage grant is very important to many companies especially those subject to information risk and privacy risk due to cyber attack. This covers a business in the event of a network failure and includes first-party expenses.

Standalone Cyber Liability Policies.

Coverage under a standalone cyber insurance policy is more comprehensive and offers a broader range of cyber risk coverage than coverage that is merely an extension of coverage offered un another policy. It is specifically designed and tailored to the client's needs.

Conduct Planned Cyber Security Assessments

Licensees are required to annually assess the effectiveness of the safeguards key controls, systems, and procedures. There is room for variances at the state level for tighter timeframes or more specific required testing.

Certify Compliance Annually

Licensees must annually certify their compliance with the applicable state insurance commissioner. Additionally, licensees must retain for 5 years all records, schedules and data supporting their compliance.

Train employees in Cyber Security Measures

Licensees must provide cyber security awareness training to employees. Licensees are also responsible for monitoring legal and threat developments in the cyber security landscape and for updating their training program (as well as security safeguards) to reflect these developments.

Personally Identifiable Information (PII)

PII includes any data that can be used to identify a particular individual such as: *Name *Date of Birth *E-mail address *Social Security Number *Credit card number *Bank account number *Address *Cell Phone Number

Packaged Cyber Liability Insurance

Packaged: Tech errors and omissions coverage with Cyber liability insurance. This means both policies would respond to a single coverage trigger and cover any situation that involves both a service failure and a data breach. If they weren't package the pure error and omissions coverage would respond to the service failure but the data breach would be explicitly excluded. The Cyber liability insurance coverage would cover the data breach but would not cover the technology service failure.