Reducing brokerage liability (how not to lose a quick million)
The brokers who do not actively manage security information of their company can face a hook for a lot of money in the case of West Coast brokerage for $1.5 million and ruined their reputation. Whenever a brokerage has a security problem media likes to dramatize that story. To avoid from this situation agents should be trained to manage the physical information of clients in the mobile and home office environments. A Risk Management Consultant at safety solutions in Africa says that “Every insurance broker understands the delicate balance of client risk versus broker liability”. When this brokerage comes to the risk assessment of a client’s commercial and industrial benefits, no broker wants to hold the liability for a shortfall. This is particularly applicable when it comes to occupational health and safety risks at your client’s premises. According to Kilian, Occupational Health and Safety has become integral to risk assessment. However, many brokers find themselves reluctant to complete this process without outside expertise, due to the enormous pressure associated with broker liability. When conducting a risk assessment of a client’s premises certain questions need to be answered. Do you know what to look for on site? Can you identify all possible risks associated with occupational health and safety, including fire, accidents, or possible injury to employees, the public and so on, and once these have been identified, can you suggest effective ways in which to mitigate these risks, prior to insurance cover being provided for the client?
Physical security of sensitive information should be managed:-
Keep sensitive information physically secure that goes for paper, hard drives and flash drives, computers and mobile devices. Physical information should be kept in locked room when not presented and should be careful about information when busy on mobile. Use a cross cut shredder to dispose of items you no longer need.
Sensitive information should be managed by secure software:-
Use professional grade document and transaction management tools not Drop box. Make sure good information security practices are a part of your contracts for websites and software; this is a requirement in some states.
Create and protect strong passwords:-
Passwords should be used with letters and numbers and it should be at least eight characters long and unique passwords should be used. Password should be change after every 120 to 180 days. Also, never password should be write down and not to share password with someone. Is any password management program is being used it should be considered that remember password features should not be ideal. To protect the accounts computer should be log out when done with websites or other resources.
For security mobile devices should be configure and keep updated:-
At the very least, require a difficult to guess password to use the device, use the encryption features, and set Bluetooth to “hidden mode” or disabled when not in use. Be very careful to limit installation of third party “apps” to those created by reputable companies.
Install antivirus software:-
No antivirus software can protect from all viruses, but to install as a reasonable precaution is a good idea. There are different antivirus programs for different devices including Microsoft, AVG, Avast, ESET, McAfee, and Norton.
Use encryption:-
Encryption makes information that anyone can read into something that is unreadable unless one has the right “key.” This way, the information doesn’t fall into the wrong hands. Encrypted information may be stored on a hard drive or flash drives or attached to an email or sent over the internet.
Establish policies and procedures:-
Policies define what behavior regarding the protection of sensitive information is expected and what behavior is not allowed. Many draft policies are available online. Policy management must include at least employee and contractor education, monitoring, enforcement and regular re-evaluation and revision.
Create a Written Information Security Program (WISP):-
Create a document formalizing how you are minimizing the risks:
- Identify who at your company is responsible for information security.
- Identify reasonably foreseeable risks. Are you only collecting and keeping information you need? How will you prevent terminated employees from accessing sensitive information? Are you contracting for information security with technology vendors?
- Develop policies for the location and both physical and electronic security of records.
- How are you monitoring compliance with the best practices you’ve outlined?
Prepare for an incident
No matter what steps you take, it’s possible that an information security incident will occur. Be prepared with the appropriate law enforcement, financial institution, and local computer forensics expert phone numbers. Consider the messaging your company will use if an incident will occur.
There is no such thing as eliminating all risk. Implementation of these policies and procedures may prevent embarrassment, compromise, and financial loss. You do not want to be the broker with the TV cameras outside and a reporter waxing poetic about what you’ve let happen to your clients.