I work for a mutual insurance company that uses independent agents as its sole distribution system. In this situation the independent agent/agency 'owns' the new business and renewal. They can move the business to any insurance company at any time assuming that have permission from their customer.
Yes, the independent agent/agency has access to non-public personal information, however they are the one acquiring the information. They are storing it in their agency management system and transferring it to one or many insurance companies to have the insurance policy issued. In our company we do not return any PPI to the insurance agency/agent. They may come to our agent/agency portal to provide updates, but no PPI is being returned.
In addition to the agency agreement/contract we have a
Third Party Information Security Guidelines document the agency is required to sign and follow.
We have excluded independent insurance agents representing the company from our Vendor Management program as the relationship is different enough and is handled by Field Operations unit.
Original Message:
Sent: 11-02-2020 07:51 AM
From: David Medina
Subject: Assessments for Independent Agents
Hi Gordon,
Independent insurance agents are insurance agents or brokers that are not employed by any specific insurance agency. They are able to sell insurance policies from multiple companies, where they are paid on commission for each policy sold. Based on this, we consider them high-risk third-parties since they will have access to customer non-public data.
Respectfully,
David Medina
Original Message:
Sent: 10-30-2020 09:45 AM
From: Gordon Rudd
Subject: Assessments for Independent Agents
Hi David,
Can you give us a bit more definition around your definition of "independent agent"? What does the agency relationship with these folks look like?
Thanks,
Gordon Rudd
Original Message:
Sent: 10-28-2020 12:04 PM
From: David Medina
Subject: Assessments for Independent Agents
Hello,
As we are developing our TPRM program we are looking to get security assessments to our independent agents, who we list as third-parties. We are not going to give them our usual assessment that we give to the rest of our critical/high-risk vendors, which is a few hundred questions. We are looking to give them an assessment of about 20-30 questions. Does anyone have any examples of assessments that are utilized for independent agents. Thank you.
Respectfully,
David Medina