Risk Assessments

 View Only
  • 1.  Assessments for Independent Agents

    Posted 10-28-2020 12:04 PM
    Hello,

    As we are developing our TPRM program we are looking to get security assessments to our independent agents, who we list as third-parties. We are not going to give them our usual assessment that we give to the rest of our critical/high-risk vendors, which is a few hundred questions. We are looking to give them an assessment of about 20-30 questions. Does anyone have any examples of assessments that are utilized for independent agents. Thank you.

    Respectfully,

    David Medina


  • 2.  RE: Assessments for Independent Agents

    Posted 10-30-2020 09:46 AM
    Hi David,

    Can you give us a bit more definition around your definition of "independent agent"?  What does the agency relationship with these folks look like?

    Thanks,

    Gordon Rudd


  • 3.  RE: Assessments for Independent Agents

    Posted 11-02-2020 07:51 AM
    Hi Gordon,

    Independent insurance agents are insurance agents or brokers that are not employed by any specific insurance agency. They are able to sell insurance policies from multiple companies, where they are paid on commission for each policy sold. Based on this, we consider them high-risk third-parties since they will have access to customer non-public data.

    Respectfully,

    David Medina


  • 4.  RE: Assessments for Independent Agents

    Posted 11-02-2020 11:13 AM
    I work for a mutual insurance company that uses independent agents as its sole distribution system. In this situation the independent agent/agency 'owns' the new business and renewal. They can move the business to any insurance company at any time assuming that have permission from their customer.

    Yes, the independent agent/agency has access to non-public personal information, however they are the one acquiring the information. They are storing it in their agency management system and transferring it to one or many insurance companies to have the insurance policy issued. In our company we do not return any PPI to the insurance agency/agent. They may come to our agent/agency portal to provide updates, but no PPI is being returned.

    In addition to the agency agreement/contract we have a Third Party Information Security Guidelines document the agency is required to sign and follow.

    We have excluded independent insurance agents representing the company from our Vendor Management program as the relationship is different enough and is handled by Field Operations unit.




  • 5.  RE: Assessments for Independent Agents

    Posted 11-02-2020 12:46 PM
    I thought that would be your answer.  Since the agent collects the information and sends it to your insurance company, I would write them out of scope. This isn't a cybersecurity issue from an NPI standpoint, though i do realize the agents have to send your company in some digital format.

    Mark Ewert gave an excellent response that I agree with. 

    anyone have any other thoughts?