Cybersecurity is the practice of protecting networks, systems, hardware and data from digital attacks. It encompasses everything pertaining to protecting sensitive data: personally identifiable information (“PII”), protected health information (“PHI”), personal information, intellectual property, data, and industry information systems from theft and damage attempted by criminals and adversaries.
This article outlines ESI’s cybersecurity requirements which are aligned with National Life’s cybersecurity program. For more details on National Life’s cybersecurity program, please review the Field Guidance: Data Security Manual on the Agent Portal.
Education
As a registered representative, you receive periodic training relating to cybersecurity which may include information on the types of cyberattacks that may occur, basics on cybersecurity, and how to protect yourself. In addition, the annual Registered Representative Annual Certification has you attest that you have read and understood the cybersecurity policy within the WSPs. Please review and familiarize yourself with the cybersecurity policy and ensure your staff members are educated on this topic, as well.
Computer Protection
Anti-Virus and Encryption
All field registered representatives (“RRs”) and non-registered fingerprinted persons (“NRFs”) associated with ESI must have anti-virus software on all computers and encryption (e.g. Bitlocker, Checkpoint) on laptops that access or store clients’ PII.
Currently, all RRs and NRFs are required to have the Brite compliance agent (“Brite”) on their computers. Brite detects and reports any anti-virus software or encryption status deficiencies. Coming later in 2021, Entreda will replace Brite as the required monitoring software solution for all RRs and NRFs. For more information, please visit the Entreda Unify Systems page on the Agent Portal.
All portable devices and external media (e.g. zip drive, flash drive, mobile phone, laptop, disks) containing customer or company confidential information must be encrypted. Backup drives should be encrypted to prevent unauthorized access in the event they are stolen or lost.
Access
Ensure all systems and other resources are located in secure physical facilities where access is restricted to authorized individuals only. Access to systems must have appropriate controls that include, at a minimum:
- A unique user ID for each user (sharing of passwords is prohibited);
- Strong passwords that expire periodically (see “Passwords” section of the Field Guidance: Data Security Manual for guidance);
- Use two-factor (“2FA”) or multi-factor (“MFA”) authentication whenever possible. MFA will be required for remote access to any NLG systems.
- Computers enter “time-out” or “sleep” mode after, at most, 30 minutes of inactivity and require a password to wake;
- Use of “Control-Alt-Delete”, to lock your computer, when you leave your seat;
- Ensuring laptops are locked away or otherwise secured when left in the office or when traveling;
- Password-protecting shared office printers/scanners.
- Office scanners must be linked to an NLG email address when utilizing the scan to email function.
Termination
Develop a process to terminate access and collect devices when an individual leaves employment. Please ensure:
- Access cards or keys to the office are collected.
- Computers or devices owned by the office are collected.
- ESI has been notified of the termination to shut off access to systems.
- When discarding a computer/device no longer being used, or repurposing it for another employee, ensure all data is properly disposed of to avoid unauthorized disclosure of confidential data. This includes, but is not limited to, resetting a phone, reformatting or destroying hard drives, properly erasing copier/scanner hard drives, ensuring no sensitive information remains on phones or zip drives.
Email Encryption
National Life encrypts email for all outgoing electronic mail that contains PII (Personally Identifiable Information): ABA routing numbers, credit card numbers, social security numbers, federal tax IDs, and policy numbers. Using your National Life email account, place “[PRIVATE]” in the subject line to enable the encryption of the message (regardless of whether it contains PII).
WiFi
Most public WiFi services are unencrypted and do not require a password, which means a hacker within range of that WiFi service can “see” all information being transmitted across that network. Protect yourself in three ways:
- Only interact with secure websites when sending / receiving information. Look to ensure the website URL starts with “HTTPS”.
- Use trusted security software: anti-virus, anti-malware, and firewalls.
- Whenever possible, do not login to any financial, work-related or social media accounts via public WiFi, unless you have a virtual private network (“VPN”).
Office wireless systems must be protected and include, at a minimum:
- Strong Password protection
- WPA2 or higher encryption
- Segregated wireless network access for guests
Passwords
Follow these six security tips for account security:
- Use strong passwords for all online accounts, electronic computing devices, and other devices. Password length should be a minimum of 12 characters and use a mix of lowercase, uppercase, numbers, and symbols. Mobile phones should be password protected (although they normally only allow 4- to 6-digit passwords);
- Use a secure password manager (e.g.: LastPass, Dashlane, 1Password);
- Never share your password;
- Do not use the same password for multiple accounts;
- Change your passwords regularly, a good standard is every 180 days or less;
- Do not use a third party to authenticate to a site (e.g. using Google or Facebook to sign you into your LinkedIn account);
- Use 2FA or MFA whenever possible. MFA will be required for remote access to any NLG systems.
Cloud Storage
Cloud-based technologies, such as Dropbox, Google Drive, or One Drive are not approved for storing or transferring sensitive ESI corporate or customer data. This includes PII, PHI, or customer or corporate financial data. ESI is unable to validate the security of these mediums nor capture, retain, and reproduce documents on them, since they are external sites. Docupace is the only approved electronic storage medium for ESI.
Security Breach or Cyber Issue?
While not a requirement, it is highly encouraged to consider obtaining adequate cyber insurance to cover possible damages caused by a data breach.
Everyone at ESI (employees, RRs, NRFs) is the first line of defense in protecting our environment from adverse events. Reporting issues, known or suspected, helps protect our environment. Examples of a cybersecurity-related issue could include, but are not limited to:
- email hacking
- password compromise
- computer hacking
- computer/device theft or loss
- Other situations, whether caused by humans or technology, that resulted or could result, in the exposure of confidential information to unauthorized parties.
To report an incident, please contact your supervisor. In coordination with your supervisor, please contact Christine Embling (cembling@nationallife.com or 802-229-3994) in ESI Compliance to report the incident.
Questions
If you have any cybersecurity-related questions, please contact your supervisor.
TC120179(0321)1