Read This Before You Hire Virtual Assistants
The NY DFS regulation requires covered entities, including Independent Insurance Agencies, to have stringent policies and procedures for protecting their information systems and nonpublic information, especially when engaging third-party service providers like virtual assistants.
Mandatory Requirements Before Hiring Virtual Assistants:
Must Have Separate Written Information Security Program (WISP) for Third-Party Vendors:
You must establish a WISP specific to your third-party vendors. This program should detail how you plan to manage and secure the data accessed by these vendors.
Agencies Must Perform Risk Assessment on the Third-Party Vendor:
Conduct a thorough risk assessment to understand the potential cybersecurity threats posed by the third-party vendor and threats they must successfully fix before a partnership can commence.
Third-Party Must Have Cybersecurity Measures In Place :
The virtual assistant or third-party provider must adhere to robust cybersecurity practices, ensuring alignment with your Agency's WISP for compliance with NY DFS regulations.
Agencies Must Verify Third-Party’s Cybersecurity Practices:
Regularly verify and ensure that the third-party’s cybersecurity measures are adequate and up-to-date.
Agencies Must Periodically Reassess Third-Party:
Continuously assess the third-party vendor, focusing on their adherence to cybersecurity practices and the evolving risks they might present.
Key Elements Your Third Party Vendor Must Have:
Due Diligence Guidelines:
Outline the process for evaluating the third-party's capabilities and compliance as a WISP (Written Information Security Program).
Access Controls:
Ensure the third-party implements policies for access controls, including the use of multi-factor authentication. There must also be a limit on access to relevant information systems and non-public information such as client data.
Data Encryption:
Mandate the use of encryption for protecting information in transit and at rest.
Incident Notification Protocols:
The third-party should have a mechanism to promptly notify your Agency in case of a cybersecurity event.
Representations and Warranties:
The contract should include representations and warranties concerning the third-party's cybersecurity policies and procedures, particularly regarding the security of your Agency's information systems and nonpublic information.
Documentation for DFS:
Proof of documentation of third-party's cybersecurity implementation, best practices, WISP contract with your Agency, etc. should be readily available.
Key Warnings for Hiring Virtual Assistants:
Compliance Challenges with NY DFS Regulations:
VAs, especially overseas VA’s, may not be familiar with, or capable of complying with, NY DFS cybersecurity regulations.
Overseas VA’s may not be able to be enforced to comply with requirements.
Differences in legal frameworks between industries and/or countries can lead to complex compliance scenarios.
Even if a parent company is hosted in the USA, NY DFS will still require anyone accessing data and systems to be in compliance with DFS cybersecurity standards which may be difficult to verify.
Difficulty in Monitoring and Enforcing Security Protocols:
Constantly monitoring and ensuring that overseas VAs adhere to your cybersecurity policies can be challenging and resource-intensive.
Time zone differences and cultural barriers may hinder effective communication and supervision.
Risk of Data Breaches:
VAs might lack robust security infrastructure, increasing the risk of data breaches.
The potential for unauthorized access to sensitive client information is significantly higher.
The use of VAs can lead to additional risks, such as if their networks are breached as they will be handling not just your Agency’s work but other companies as well. This puts their entire network at risk which could allow threat actors access to your systems as well.
Limited Legal Recourse:
In the event of a data breach or non-compliance, legal actions against overseas third-party vendors can be complicated and often ineffective.
Recovering losses or enforcing penalties across international jurisdictions is difficult.
Some Virtual Assistant policies include a waiver of liability in the case of a data breach (or X amount of breaches MONTHLY!) so you may be inadvertently signing something that puts your Agency at risk.
Operational Risks:
Failing to comply with any of the NY DFS requirements for any 24 hour period results in your Agency no longer being in compliance – this can include your third-party vendors.
In some cases, a third-party vendor may fall under the guideline of “employee” or “contractor” in which case may require more compliance regulations for your Agency, or penalties therein if a breach occurs.
Strong Recommendations:
Given these significant risks, it’s strongly recommended to avoid using virtual assistants, particularly those based overseas, for accessing or handling non-public client information and documentation. Instead, consider the following:
Explore Local or In-house Alternatives:
Look for local providers or in-house staff who can be more reliably monitored and are or can be subject to the same legal and regulatory framework that NY DFS Compliance requires.
Use VAs for Non-Sensitive Tasks:
If you opt to use VAs, limit their roles to tasks that do not involve accessing sensitive client data. (e.g. They cannot access Agency Management Software, Emails, Sign Documents, Open Documents, etc.).
Implement Rigorous Security Measures:
If engaging VAs is unavoidable, you must create and enforce strict security protocols and regularly monitor their compliance with NY DFS regulation and file proof of compliance alongside your Agency’s during your annual attestation.
While the cost-effectiveness of hiring virtual assistants is appealing, the risks can outweigh the benefits. Furthermore, the consequences of failing to comply with the Department of Financial Services (DFS) regulations due to lapses by virtual assistants cannot be overstated.
Before making the decision to hire a virtual assistant, it’s crucial to conduct a thorough and in-depth evaluation of these risks.
Still thinking of hiring a Virtual Assistant for your Insurance Agency?
Give us a call and let us help you verify whether your potential virtual assistant will be a true asset or a DFS compliance nightmare: Call me at 646-374-1820 or email me at walter@motiva.net
Walter Contreras
Walter Contreras has over 25 years of experience in information technology, including cybersecurity, with a focus on the Insurance Industry. As both a computer scientist and a graduate of the Columbia University Business School’s Executive MBA program, Walter understands how the world’s digital transformation is impacting small and medium businesses. His mission is to deploy information technology to protect and empower entrepreneurs.
