October 20, 2016

Best Practices for Secure Agency – Carrier Communications Pt. 2

By: Kevin Horgan

In Part 1 of our series on secure agency – carrier communications, Sydney outlined the security concerns in the industry for both agencies and carriers. Carriers are requesting additional steps in collecting producer information to ensure protected data, which can hold up the onboarding process. It's no surprise that the industry has recently turned its focus towards security. 3 of the largest data breaches of 2015 were in the healthcare industry, with Anthem being the largest. The industry is correct to be extra cautions when dealing with these communications.

Last year, Tim Owen wrote a post on the importance of secure producer data. The post spoke to how though awareness of the risks and consequences associated with insecurely sharing data had increased as a result of these massive breaches, the changes in procedure needed to address these threats had been slow to materialize in the industry. So how can agencies adhere to security best practices while also keeping the communication process running smoothly?

Most onboarding today involves emailing attachments with personally identifiable information, which carriers are starting to reject when the attachments are sent insecurely. This often leaves agencies confused about how they are supposed to send this data. What options are available?

Securely sending your information via email

Carrier representatives at the SILA Agency-Carrier Faceoff session suggested sending secure information via email, but there are several methods of accomplishing this, as outlined in Part 1 of this series:

1. Encrypt your documents before attaching them to an email
2. Encrypt your entire email before sending it
3. Store documents to a secure online storage solution and email the carrier a link

Let's go through these methods one by one.

Encrypt your documents

The first method is to utilize a tool – such as 7zip, WinZip, PGP Zip, or WinRAR – to create an encrypted zip file containing your documents, which can then be attracted to an email. Other tools may already be available through your work environments.

However, this method is quite technical. It requires the file sender (you) to coordinate with the file receiver (your carrier partners) on encryption keys, and requires your producers / agency staff to take extra steps to encrypt and zip documents. It also requires your carrier partners to go through extra decryption steps in a program that can open encrypted files.

Encrypt your entire email

Encryption of your entire email can be done through the email application you use, Microsoft Outlook for example, or through a secure email provider. Encrypted email with Outlook requires the exchange of digital IDs between sender and receiver, so that messages can be signed, encrypted, and sent – then received, decrypted, and verified. If this exchange hasn't taken place, encrypted emails cannot be sent.

Secure email services like Protonmail and Tutanota require both the sender and recipient to be members of the platform. This adds an extra location carriers must go to receive your documents, and many carriers are unable to accommodate these agency specific steps (especially true for smaller agencies). In addition, a limited amount of server space is given to free accounts. More space requires a premium membership at a cost.

Store documents to a secure online storage solution

A third example of file sharing is to upload documents to an online storage solution. Access then must be shared with the carrier for them to access the documents. Services such as Dropbox and Box are widely used, but are lack the amount of security controls found in secure cloud storage solutions such as Tresorit and SpiderOak. These services emphasize enhanced security control and data encryption, at the cost of the ease of use, speed, and cross-environment compatibility of their less security oriented counterparts.

Similarly to secure encryption services, this solution adds an extra location carriers must go to receive your documents. This, as noted previously, may cause problems in the process of your carrier communications.

Other solutions from your carrier partners

We've gone through several examples of methods to securely share files, each with their own pros and cons. However, the most important thing to consider is whether your carrier partners will accept the secure solution you choose. The best option may be to ask your carriers what their preferred method is. The method that is the easiest for you and your agents may be the method most burdensome on carriers, so make sure to familiarize yourself with your carrier's preferences and approaches for secure communication. Some carriers have secure onboarding technology in place for their agencies to use, like Producer Express from Vertafore. With secure onboarding technology, agencies are relieved of the cost and technical burden encryption, along with the risk of unsecure document attachments.

Ensure a secure communication system is in place! Reach out to your carrier today to find out if they could be taking advantage of onboarding technology, and be sure to subscribe to the Sircon blog to keep posted on this series. Stay tuned for the next installment, which will be looking at carrier's current approach at communications and more best practices for keeping security minded in agency – carrier communications.

---