Cybersecurity is the practice of protecting networks, systems, hardware and data from digital attacks. It encompasses everything pertaining to protecting sensitive data – personally identifiable information (“PII”), protected health information (“PHI”), personal information, intellectual property, data, and industry information systems – from theft and damage attempted by criminals and adversaries.
This Field Notice outlines some important best practices around ESI’s cybersecurity requirements. For more best practices and guidance, please review Field Notice 2021-09 Cybersecurity and ESI’s Written Supervisory Procedures.
**Having trouble with the links in this email? Log into the agent portal first, and try again!**
Branch Cybersecurity Policy
It is recommended that each branch have a documented cybersecurity policy. Here are some items to consider including in the policy:
What to do if there is a cybersecurity-related issue
To report an incident, please contact your supervisor. In coordination with your supervisor, please contact ESI Compliance (esicompliance@nationallife.com) to report. Cybersecurity-related issues may include, but are not limited to:
- email hacking
- password compromise
- computer hacking
- computer/device theft or loss
- Other situations, whether caused by humans or technology, that resulted or could result, in the exposure of confidential information to unauthorized parties
Vetting third party IT providers or resources
The ESI Confidentiality Agreement is required whenever a third-party or outside service provider may have access to ESI’s confidential client information or records. Examples of third-party services may include, but are not limited to, shredding services, document storage facilities, office cleaning services, or IT service providers.
When using outside third-party IT resources, in addition to obtaining a confidentiality agreement, the vendor should be adequately assessed to ensure that they have effective security practices.
Inventory of Assets
It is recommended that you create and maintain a technology inventory. This should include computers, laptops, scanners, tablets, phones, printers, etc. In case an issue arises, this inventory will help you understand what asset has gone missing or has been impacted and who it belonged to.
Important Reminders
Below is a list of important reminders around security and protection of information:
- Scanners must be linked to an NLG email: When scanning documents, the scanner must be linked to an NLG email address for the security of the information being scanned. When utilizing a phone or other device to scan or take a photo of documents, such devices must be encrypted and linked to an NLG email address. Outside email addresses may not be encrypted or as secure as your NLG email.
- Sharing of passwords is prohibited: Passwords may not be shared for any reason. This includes providing an NRF passwords for an RR’s computer, email, or online system to access client information.
- Accessing client accounts is prohibited: RRs and NRFs are not permitted to obtain passwords from a client to access a client’s account information or other PII (even with the client’s permission). Only clients may access their own accounts.
- Email encryption: National Life encrypts email for all outgoing electronic mail that contains PII: ABA routing numbers, credit card numbers, social security numbers, federal tax IDs, and policy numbers. When sending a message with sensitive information, you must use your National Life email account and type “[PRIVATE]” in the subject line to enable the encryption of the message.
- Phishing emails: Be mindful of suspicious email from unknown senders. Such email may have spelling or grammatical errors or create a sense of urgency. Additionally, never open an email attachment unless it comes from a trusted source. Home office employees may report potential phishing email by clicking the “Phish Alert Report” button within Outlook. Field representatives may forward the email as an attachment to spam@nationallife.com.
Anti-Virus And Encryption
Everyone associated with ESI must have anti-virus software on all computers that access or store clients’ PII. In addition, all portable devices and external media (e.g. zip drive, flash drive, mobile phone, laptop, disks) that access or store clients’ PII must be encrypted. Backup drives should be encrypted to prevent unauthorized access in the event they are stolen or lost.
Anti-virus/anti-malware software vendors that are compliant with Entreda:
AVAST! Software | ESET | Symantec Corp. |
AVG Technologies | Kaspersky | Norton360 |
BitDefender | Malwarebytes Premium | Sophos |
Checkpoint | McAfee | Trend Micro |
Crowdstrike Falcon | Windows Defender | Vipre Anti-Virus |
Fortinet | Panda Security | Webroot |
Cylance Protect | SentinelOne | Zone Alarm |
Encryption vendors that are compliant with Entreda:
- Microsoft BitLocker Encryption
- McAfee
- Sophos
- Symantec (full disk encryption only)
Entreda
Everyone is required to have the Entreda Unify System (“Entreda”) software installed on all computers and laptops that access or store clients’ PII or are used to access the agent portal. Entreda monitors the security of the computer system, including any key security control deficiencies status deficiencies.
Once installed, Entreda calculates a security risk score based on certain criteria including auto-screen lock, WiFi, password, and encryption settings, among other factors. A device must maintain a passing score of 660 or above to be compliant. Failure to install Entreda or maintain a passing score of 660 will prevent users from accessing the agent portal. Please refer to FN 2021-19 Entreda Unify Systems for more details.
If you no longer utilize a device for business purposes, all ESI data must be permanently removed from that device. Once removed, please contact Rich Whalen (rwhalen@nationallife.com) to confirm and allow him to remove the device from Entreda reporting.
Questions
If you have any cybersecurity-related questions, please contact your supervisor.
**Having trouble with the links in this email? Log into the agent portal first, and try again!**
TC130210(1222)1