Field Notice 2023-30 Cybersecurity

January 16, 2024    Advisory Solutions

ESI Compliance
Field Notice 2023-30
December 26, 2023

Cybersecurity
Cybersecurity is the practice of protecting networks, systems, hardware and data from digital attacks. It includes protecting sensitive data such as personally identifiable information (“PII”), Protected Health Information (“PHI”), intellectual property, data, and industry information systems from theft and damage attempted by criminals and adversaries.

This Field Notice outlines some important best practices around ESI’s cybersecurity requirements, which align with National Life’s cybersecurity program. For more details on National Life’s cybersecurity program, please review the Security Guidance Manual on the Agent Portal. This document can also be accessed from the “Technology and Security” tab located on the NLG Life and Annuity Compliance portal landing page.  For more best practices and guidance, please review Section 5.9.5 of ESI’s Written Supervisory Procedures.

Important Reminders
Below is a list of important reminders around security and protection of information:

  • Cloud Storage: Cloud-based technologies, such as Dropbox, Google Drive, or One Drive are not approved for storing or transferring sensitive ESI corporate or customer data. This includes PII, PHI, or customer or corporate financial data. ESI is unable to validate the security of these mediums nor capture, retain, and reproduce documents on them, since they are external sites. Docupace is the only approved electronic storage medium for ESI.
  • Email encryption: When sending any ESI related email, you must use your National Life email account. Additionally, you should type “[PRIVATE]” in the subject line of the message to ensure it is encrypted. National Life will then encrypt the email for the outgoing electronic mail that contains PII: ABA routing numbers, credit card numbers, social security numbers, federal tax IDs, and policy numbers. Please see example subject line below:
  • Phishing emails: Be mindful of suspicious email from unknown senders. Such email may have spelling or grammatical errors or create a sense of urgency. Additionally, never open an email attachment unless it comes from a trusted source. If you are not sure, please forward the email as an attachment to spam@nationallife.com for further investigation.
  • Scanners must be linked to an NLG email: When scanning documents, the scanner must be linked to an NLG email address for the security of the information being scanned. When utilizing a phone or other device to scan or take a photo of documents, such devices must be encrypted and linked to an NLG email address.
  • Sharing of passwords is prohibited: Passwords may not be shared for any reason. This includes providing an NRF passwords for an RR’s computer, email, or online system to access client information. In addition, RRs and NRFs are not permitted to obtain passwords from a client to access a client’s account. Only clients may access their own accounts. National Life recommends the use of a password manager to create and secure store unique strong passwords.
  • Texting: SEC and FINRA Rules require all electronic communications, including text messages, to be captured and archived by the Firm. CellTrust is the only application approved by ESI to use when texting clients. This includes any text relating to securities, investment advisory, insurance and all investment-related activities sent to/received from clients, potential clients, vendors, home office employees, and branch office administrative staff.

Entreda
RRs and NRFs are required to have the Entreda Unify System (“Entreda”) software installed on all devices that are used to access ESI systems or that access or store clients’ information. Entreda monitors the security of the device system, including any key security control deficiencies status deficiencies.

Once installed, Entreda calculates a security risk score based on certain criteria including auto-screen lock, WiFi, password, and encryption settings, among other factors. A device must maintain a passing score of 660 or above to be compliant. Failure to install Entreda or maintain a passing score of 660 will prevent users from accessing the agent portal. Please refer to FN 2021-19 Entreda Unify Systems for more details.

If you no longer utilize a device for business purposes, all ESI data must be permanently removed from that device. Once removed, please contact Stephen Page (spage1@nationallife.com) to confirm and allow him to remove the device from Entreda reporting.

Hardware
Hardware that stores Confidential or Sensitive information, which is no longer needed or has reached “end of life,” must be securely deleted and such data deemed unreadable and non‐recoverable before redistribution, reuse, or disposal following NLG hardware “end of life” guidelines. Effective deletion and destruction must be evidenced, and if applicable, certification must be obtained and properly recorded. Any destruction of Confidential or Sensitive Information must be conducted in accordance with the applicable requirements of NLG’s Information Classification Policy, the Records Management Policy, and other relevant NLG policies and procedures.

Anti-virus and Encryption
Anti-Virus is monitored in the field through Entreda. Everyone associated with ESI must have anti-virus software on all computers that access or store clients’ PII. In addition, all portable devices and external media (e.g. zip drive, flash drive, mobile phone, laptop, disks) that access or store clients’ PII must be encrypted. Backup drives should be encrypted to prevent unauthorized access in the event they are stolen or lost.

Anti-virus/anti-malware software vendors that are currently compliant with Entreda: 

  • AVAST! Software     
  • AVG Technologies
  • BitDefender 
  • Checkpoint
  • Crowdstrike Falcon
  • Fortinet
  • Cylance Protect
  • ESET
  • Kaspersky
  • Malwarebytes Premium
  • McAfee
  • Windows Defender
  • Panda Security
  • SentinelOne
  • Symantec Corp.
  • Norton360
  • Sophos
  • Trend Micro
  • Vipre Anti-Virus
  • Webroot
  • Zone Alarm


Encryption vendors that are currently compliant with Entreda:

  • Microsoft BitLocker Encryption
  • McAfee
  • Sophos
  • Symantec (full disk encryption only)

Branch Cybersecurity Policy

It is recommended that each branch have a documented cybersecurity policy. Here are some items to consider including in the policy:

What to do if there is a cybersecurity-related issue

To report an incident, please contact your supervisor. In coordination with your supervisor, please contact ESI Compliance by phone (800-344-7437) or email (esicompliance@nationallife.com) to report. Cybersecurity-related issues may include, but are not limited to:

  • email account compromise
  • National Life password compromise
  • computer hacking (for example: unauthorized access or malware infection)
  • computer/device theft or loss
  • other situations, whether caused by humans or technology, that resulted or could result, in the exposure of confidential information to unauthorized parties.


Vetting third party IT providers or resources

The ESI Confidentiality Agreement is required whenever a third-party or outside service provider may have access to ESI’s confidential client information or records. Examples of third-party services may include, but are not limited to, shredding services, document storage facilities, office cleaning services, or IT service providers.

When using outside third-party IT resources, in addition to obtaining a confidentiality agreement, the vendor should be adequately assessed to ensure that they have effective security practices. For more best practices related to vendor due diligence, please review the Field Notice 2023-27.

Safeguarding Customer Records and Information

It is recommended that you create and maintain a technology inventory. This should include computers, laptops, scanners, tablets, phones, printers, etc. In case an issue arises, this inventory will help you understand what asset has gone missing or has been impacted and who it belonged to. For more information, please refer to NLG’s

Minimum-Security Standards which are found on page 53 of the NLG Life & Annuity Compliance Manual.

Phishing and Smishing (SMS text message phishing) continue to occur commonly.  It is important that all RRs and NRFs understand how to spot phishing emails. They must also understand that text messages impersonating executives or other VIPs asking for gift cards is a commonly used lure.

Questions

If you have any cybersecurity-related questions, please contact your supervisor.  

TC138983(0124)1