Ready to get started? Give us a call! 855-290-5483

Jason Gobbel

Applied Systems’ Hosted Exchange Retirement: What it Means for Your Agency

Recently, many of you may have received an email from Applied Systems, notifying users about their decision to retire their Hosted Exchange and Insuremail services by the end of December 2023. This development could have significant implications for agencies relying on these services. In this video and blog post, we’ll explore how Applied Systems’ Hosted Exchange retirement might affect your agency and what strategic measures you can take to ensure a seamless transition to a new service.

A bit of history

Several years ago, Applied began hosting email for agencies using a product called Microsoft Exchange.  Exchange is a fantastic product, and back in the days of servers, this is exactly what we deployed in agencies.  But as the years went on, Exchange was increasingly designed for large organizations.  It required larger servers and more server roles.  It required special skills to manage, and it was difficult to keep secure. This meant more expense. Meanwhile, cloud alternatives were getting better and more cost effective all the time.

These days, there are far better options out there for agencies and Applied is recognizing that.  This will allow Applied Systems to reallocate time and effort into products like Epic, where their core expertise really shines. Check out this recent update from Applied Systems to learn more.

So what does this mean for your agency?

Receiving the letter doesn’t necessarily mean that you’re using the service.  So the first step is determining if this applies to you.  Your IT folks should easily be able to determine this. They’ll want to check inbound email, your copiers and scanners, and Epic DMS.

If you ARE using Applied’s email services, you’ll need to have all of your data off of those services before the end of December 2023. That’s not much time, so you need to start making a plan now to transition to another solution.  For this, I recommend Microsoft 365. Microsoft 365 has become the industry standard for email, but the 365 ecosystem is much larger than that. You can use Microsoft 365 to replace servers, deliver cybersecurity, implement cloud desktops, and meet compliance requirements.

KiteTech is here to help

If you are currently using Applied’s email services, and need help migrating to Microsoft 365, we can help.  I would encourage you to reach out to Kite Technology sooner than later, so we can begin helping you plan for the change.

 

If you’re already using Microsoft 365, and you’re curious about how you can make it more effective and secure, we can help with that, as well. We have made Microsoft 365 a part of everything we do, and we would love to help you make Microsoft 365 part of everything you do. Contact us today, to learn to learn more about our Managed IT Services and Microsoft 365 Consulting

Jason Gobbel

Jason Gobbel

Chief Solutions Officer
Kite Technology Group

New FTC Safeguards Rule: What Insurance Agencies Need To Know

Another day, another regulation.

To keep pace with the ever-changing cybersecurity landscape, the Federal Trade Commission recently updated their Gramm-Leach-Bliley era 2003 Safeguards Rule. The new Standards for Safeguarding Customer Information are far more in-depth, and do a great job of bringing this regulation to the modern era.

Now, I know what you’re thinking: Does the FTC Safeguards rule even apply to Agencies? Well, that ultimately depends on what types of services your Agency provides. But before we make a decision, let’s review what’s involved.

Key Aspects of the new FTC Safeguards Rule:

Determine Applicability and Scope of the Safeguards Rule (Section 314.2(h)):

  • Understand whether your insurance agency qualifies as a covered entity under the FTC Safeguards Rule. The definition is quite vague, so I’d recommend erring on the side of caution.
  • Identify the types of non-public personal information (NPI) that your agency handles, including customer details, financial records, and medical information.
  • Ensure compliance with the rule’s requirements based on the size, nature, and scope of your agency’s operations.

Conduct A Risk Assessment (Section 314.4(b)):

  • Your Information Security Program should be based on an assessment of foreseeable risks.
  • Your risk assessment should include recommendations and requirements for mitigating discovered risks.

Develop a Comprehensive Information Security Program (Section 314.3(a)):

  • Establish an information security program specifically tailored to your insurance agency’s unique needs, risks, and compliance obligations.
  • Conduct a comprehensive risk assessment to identify vulnerabilities in your agency’s systems, networks, and processes.
    Implement robust security measures, including data access controls, encryption protocols, secure transmission methods, and secure storage of customer data.

Appoint a Dedicated Data Protection Officer (DPO) or Team (Section 314.4(a)):

  • Designate a competent individual or team responsible for overseeing the implementation and enforcement of your agency’s information security program.
  • Ensure the DPO or team possesses expertise in data protection, privacy regulations, and the insurance industry’s specific requirements.
  • Provide the necessary authority and resources to the DPO or team to effectively address data security concerns and communicate with stakeholders.

Design and Implement Safeguards and Controls (Section 314.4(c)):

  • Apply the Principles of Least Privilege.
    Implement encryption and multi-factor authentication.
  • Establish policies for data retention and destruction.

Regularly Test and Monitor Your Security Controls (Section 314.4(d)):

  • Implement solutions that deliver continuous monitoring.
  • Monitor for new vulnerabilities in the environment.
  • Consider the need for penetration testing.

Train Employees on Data Security Best Practices (Section 314.4(e)):

Implement Vendor Management Practices (Section 314.4(f)):

  • Evaluate the security practices of third-party vendors and service providers who have access to customer data or handle sensitive information.
  • Implement stringent vendor management procedures, including due diligence assessments, contractual obligations, and ongoing monitoring of vendor compliance.
  • Regularly review and update agreements with vendors to ensure they align with the FTC Safeguards Rule’s requirements.

Establish Incident Response and Data Breach Notification Procedures (Section 314.4(h)):

  • Develop an incident response plan that outlines the steps to be taken in the event of a data breach or security incident.
  • Ensure the plan covers incident detection, containment, investigation, mitigation, and recovery.
  • Familiarize yourself with relevant breach notification laws and establish procedures to comply with reporting obligations in the event of a breach.

Report Your Cybersecurity Status and Progress At Least Annually (Section 314.4(i)):

  • Your Data Protection Officer or Team should provide written updates to the Governing Body at least annually.
  • These updates should include the overall status of the Information Security Program (implementation, compliance, and effectiveness).
  • Material milestones and deficiencies should also be reported.

Regularly Assess and Update Your Information Security Program (Section 314.4(g)):

  • Conduct periodic reviews and assessments of your information security program to identify and address emerging risks, technological advancements, and changes in regulatory requirements.
  • Stay updated on best practices and industry standards for data security and privacy in the insurance industry.
  • Continuously improve your program based on lessons learned from incidents, audits, and feedback from employees and stakeholders.

As you can see, these new Standards for Safeguarding Customer Information closely resemble other industry regulations, such as NAIC Insurance Data Security Model Law and NY’s 23 NYCRR 500 (watch our recent webinar on the 23 NYCRR 500 changes) so we should already be well on our way to meeting these new requirements. So while the FTC Safeguards rule may or not apply to your Agency, I would strongly encourage you to bake these requirements into your existing Cybersecurity Program. It will be minimal effort for the reward of knowing there’s one less thing you have to worry about.

How Kite Technology Can Help

Ready to take proactive steps in ensuring your agency’s compliance with industry cybersecurity regulations? Let Kite Technology be your trusted partner in this journey. With our expertise in insurance industry regulations and cybersecurity, we are well-equipped to guide you through the evaluation process and implement a tailored Cybersecurity Program for your agency. Contact us today to discuss your specific needs and goals. Together, we’ll fortify your data protection measures and ensure your agency remains secure and compliant.

Jason Gobbel

Jason Gobbel

Chief Solutions Officer
Kite Technology Group

Cybersecurity Bulletin – Microsoft Vulnerability CVE-2021-40444

Microsoft has made us aware of a new threat against Windows operating systems and Office products. Known as CVE-2021-40444 this vulnerability is being actively exploited so it’s crucial that you stay informed and take the necessary measures to minimize your risk.

What's Happening

CVE-2021-40444 is a vulnerability that could allow a bad actor to take control of a system using malicious files or websites. Bad actors are sending out malicious emails and documents (Word, etc.) that leverage this vulnerability. An example of such a malicious document can be found below.

Example of Malicious Document
Example of a Malicious Document

While antivirus has been proven to respond to some of these threats, out of an abundance of caution for our clients, KiteTech is taking the extra steps of disabling the features that rely on the underlying MSHTML engine that’s being exploited. This may impact some carrier websites and advanced features in certain Word/Excel documents that you use.

How to Minimize Your Risk

We’re learning from our security partners that while Microsoft’s recommendations help a great deal, they do not completely mitigate the threat. There are still ways this exploit can be used.

Be sure to consult with your IT provider or internal IT team to ensure that you are well protected. As always, be extra skeptical of any emails, files, or web links that you weren’t expecting. If you do receive a document via email that you weren’t expecting, please don’t open it. If you have any questions, reach out to your IT Provider.

KiteTech is Here to Help

For additional information on this vulnerability, check out this article by KiteTech partner, Huntress: https://www.huntress.com/blog/cybersecurity-advisory-hackers-are-exploiting-cve-2021-40444. The Kite Technology team is also here to help. If you’d like to learn more about how our Managed IT and Security Services can help your organization operate more securely, don’t hesitate to reach out. We are here to help!

Jason Gobbel

Jason Gobbel

Chief Solutions Officer
Kite Technology Group

adam atwell

Adam Atwell

Cloud solutions architect

Adam is passionate about consulting with organizations across the country to help them develop and execute a cloud adoption strategy that meets their business needs and future objectives. Adam oversees and manages our company strategy for Microsoft 365 adoption and is responsible for future growth and development inside Microsoft 365 and other cloud technologies.