When Pennsylvanian insurance agencies think about the new cybersecurity compliance regulations through the Pennsylvania Insurance Data Security Act (Act 2 of 2023), also called “PIDSA”, most agencies immediately focus on their internal organizations.

Questions are asked about passwords, multi-factor authentication (MFA), computer protections, and backups. All of these are important questions, but they miss one of the biggest liabilities that PIDSA addresses…

Third-party vendors.

From managed IT providers and cloud storage platforms to agency management systems and email providers, insurance agencies rely on a growing network of third-party service providers to support daily operations.

Under PIDSA, vendor oversight is no longer just a best practice that should be in place. Rather, it’s now an important part of comprehensive cybersecurity program to keep your agency compliant.

If third-party vendors have access to your systems, your customer information, or even your agency’s operations, their cybersecurity practices and procedures directly impact your agency’s risk exposure.

Why Does Vendor Oversight Matter?

Most cyberattacks begin with human error, whether it’s an employee clicking a malicious link, downloading an incorrect file, or accidentally sharing login credentials. When your agency trains and protects itself from human error the best it can, you may falsely believe that you’re fully protected and compliant with PIDSA.

However, your third-party vendors also have employees who may not be trained or properly protected. In fact, when businesses and agencies have proper cybersecurity practices in place, a vast number of data leaks and breaches actually come from third-party vendors being hacked and attacked.

This happens because third-party vendors frequently have privileged access to information like customer info, agency systems, admin accounts, backups, cloud data, and communication methods. Not only might third-party vendors have this for your agency, but they likely have this for countless other agencies and businesses. If so, then the third-party vendor is a juicy target for cybercriminals.

This is exactly one reason why the Pennsylvania Insurance Department’s implementation of PIDSA places a high priority on third-party provider oversight.

Specifically in their guidance, all covered entities (meaning your agency) are expected to exercise due diligence in selecting service providers and require appropriate cybersecurity protections.

Which Vendors Should Your Insurance Agency Review?

When it comes to vendor oversight, it’s important to have a holistic picture. Without it, you might forget or miss a vendor that has access to sensitive information or supports a critical agency function.

To give your agency a starting point, here’s a list of some examples of the types of third-party vendors that you may use:

• Managed IT Providers
• AMS
• Cloud Storage Provider
• Email Providers
• VoIP and/or Phone Systems
• Backup Providers
• Cybersecurity Vendors
• Payroll Systems & Companies
• HR Software
• Electronic Signature Platforms
• Customer Communication Platforms
• Document Management Systems

This isn’t an exhaustive list, but what it reveals is that many agencies likely rely on third-party vendors that could impact their PIDSA compliance and liability.

If a vendor could impact your ability to protect nonpublic information or continue business operations, then they are a vendor who needs to be evaluated under PIDSA.

What Should You Ask Your Vendors?

A vendor review doesn’t need to feel like a regulatory audit.

The main goal is to understand whether your vendors take cybersecurity seriously and whether they present unnecessary risk for your agencies.

To help you begin this conversation, you should begin with a few categories of questions that will give you insight into their cybersecurity approach and safeguards.

Access Control Policies

Access Management is one of the most important cybersecurity safeguards that all of your vendors should have implemented.

To figure out where your vendors are at, you can ask the vendor some of these questions:

• Do you require multi-factor authentication (MFA) and/or passkeys for account access?
• How are administrator accounts and privileges protected?
• Who can access our information?
• How is employee access removed when staff leave?

Weaknesses in access controls create opportunities for bad actors to gain unauthorized access to your information through their systems. This is the exact sort of risk that PIDSA compliance is attempting to mitigate.

Data Protection Policies

Depending on what your current data storage solution, these questions may vary for vendors.

If your agency utilizes cloud servers or third-party managed on-site servers, you can ask the vendors these questions:

• Where are all the places our data is stored?
• Is our sensitive data and information encrypted?
• How are backups managed?
• How frequently do you check backups?
• What protections exist against ransomware?

Understanding how a vendor protects your information can help you identify potential vulnerabilities before they become a bigger incident.

Incident Response

In the realm of cybersecurity, incidents are almost always a “when”, not an “if”.

Because of this reality, what really matters in the event of an incident is how quickly a vendor will respond. Understanding the vendors protocol and procedures will help you understand the risk your agency shares when an event occurs.

To get a good idea of the scope of a vendor’s procedures, you can ask the following questions:

• How are incidents detected?
• How will we be notified if an event occurs?
• Who is our point of contact in an event?
• What support is available during an incident?

If you want a better idea of general best practices in procedures and events, check out the Cybersecurity & Infrastructure Security Agency’s considerations and planning for cyber incidents. This guide goes over a lot, but it’s helpful for business owners to see how a federal agency approaches cybersecurity response.

Business Continuity

In the event of a vendor outage, it can create a significant disruption for your agency.

For example, imagine if your AMS went offline, the phone systems went down, emails no longer worked, or the backups stopped happening.

These can be nightmare situations not only for your workflows, but also for your compliance with PIDSA as data channels from third-party vendors may be compromised or taken down.

To fully understand a vendor’s commitment to delivering a high standard of service, ask some of these questions to round out what you’ve learned from the previous sections of questions:

• What redundancy measures exist with your service?
• How do you minimize downtime in the event of an outage?
• What recovery procedures are documented?
• What service expectations do you provide?

Business continuity is often-forgotten cousin of cybersecurity. While keeping systems secure is super important, it’s also crucial to keep them running to maintain compliance and operational stability.

Always Get Documentation From Vendors

Many agencies settle for verbal confirmation when discussing these questions with their vendors. However, this is a classic mistake, especially when it comes to PIDSA compliance.

To fully show your due diligence and compliance maturity, obtaining a written documentation from each of your vendors shows your agency not only what to expect from the vendor’s service, but also will really separate the wheat from the chaff when it comes to vendor quality.

Your agency should consider maintaining a record of vendor contact information, written answers to the previous questions, contact review date, internal notes on notable risks, and any follow-up actions. This creates a record for the Pennsylvania Insurance Department and protects your agency under the compliance regulations of PIDSA.

Common Mistakes With Vendor Oversight

To help you with your vendor oversight, here’s a quick list of common mistakes that we see insurance agencies make when it comes to proper procedures.

1. Only Reviewing Vendors Once – Cybersecurity is a changing landscape, which means that vendor reviews should be an ongoing process that occurs more than once.
2. Focusing Only On Technology Vendors – Payroll providers, document platforms, and communication systems may also process sensitive information that falls under PIDSA compliance.
3. Assuming Large Vendors Are Automatically Secure – A well-known company can feel like a cybersecurity safety blanket, but even the largest companies still experience cybersecurity incidents. Size doesn’t replace due diligence.
4. Not Documenting Reviews – If it hasn’t been documented, it’s almost like it never happened. It becomes near impossible to prove that any review occurred.

Frequently Asked Questions

Does PIDSA require third-party oversight?

PIDSA includes requirements related to third-party service provider oversight and cybersecurity risk management. Agencies should review the new laws and applicable guidelines to understand their compliance responsibilities.

Does my IT provider count as a third-party vender?

In most cases, yes. If an IT provider has access to any systems, data, backups, or administrative functions, they should be considered a part of your vender risk review process.

How often should vendors be reviewed?

Many organizations conduct annual reviews, though you may want to consider doing more frequent reviews for high-risk or critical vendors.

Do small insurance agencies need vendor oversight?

Yes. Cybersecurity risks are not limited to just large organizations. Even if it’s a one-person agency, that person still needs proper cybersecurity practices and should implement proper vendor vetting procedures (even if they are exempt from PIDSA compliance).

What To Do Next?

PIDSA compliance is actually a lot more than firewalls, MFA, and antiviruses. It requires Pennsylvania insurance agencies to think about a broader spectrum and ecosystem of everywhere their data ends up.

Every vendor that has access to your data, systems, or operations represents an opportunity and a risk. By implementing a proper review process, you can strengthen your cybersecurity and compliance while also achieving peace of mind for you and your clients.

If you’re unsure whether your current vendors are supporting your compliance goals and requirements, we’re here to help. Marvel IT Services specializes in helping independent insurance agencies navigate the compliance landscape and build technology strategies for long-term growth and stability.

Give us a call to start with a 100% free review of your current environment and PIDSA compliance so we can begin to help you navigate these new compliance waters.