The cloud. That mysteriously vague destination we all have accepted as the repository of unimaginable amounts of digital information. You can send anything to the cloud, and we do.  But how safe is that information – especially vital information about identity, finances, purchasing habits, and so much more?

This can become an especially critical question for business owners, who by necessity accept, process, and share such vital information in the course of doing business.  Even businesses that do not work directly with healthcare, financial or other regulated data may find themselves exchanging identity information with third parties. For example, many businesses use an outsourced payroll reporting company, providing Social Security numbers and possibly additional information to that third party.   

Safeguarding the privacy of the information you share with third parties should become and remain a top priority. A key first step includes carefully and thoroughly vetting your vendors, to make sure that they are adequately protecting the data you are sharing with them. Here are some questions you may want to ask as part of that vetting process:

• Is the vendor, because of the data they possess or the business in which they are engaged, subject to any cyber security regulations, such as Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley (SOX) compliance, or New York State Department of Financial Services (NYDFS)?
• Does the vendor have a formal cyber security program with written policies, plans and procedures? If so, does that program follow a cyber security or auditing framework such as CIS, NIST, SOC or ISO? Does the program cover risk assessment, asset management, patch management, vulnerability management, and endpoint detection and response? Does the vendor have incident response, disaster recovery, and business continuity plans?
• Does the vendor provide cyber-security training to their employees? How often? What topics are covered? Does the vendor conduct phishing simulations to test employees’ ability to properly respond to phishing attacks?
• Does the vendor limit each employee’s access to IT resources to only what is required to do that employee’s job? Does the vendor encrypt data? At rest and in motion? Does the vendor require employees to use complex passwords? Does the vendor require multi-factor authentication for access to non-public data? Does the vendor require multi-factor authentication for remote access to IT resources?
• Has the vendor experienced a cyber security incident in the past 24 months? If so, can they describe the incident and what remediations have been made to prevent its recurrence? As a result of the incident, was a cyber insurance policy claim filed, or regulatory action taken?   

While vetting vendors is important, it’s equally essential to ensure that confidential customer information, like personal identification or private health records, is protected as you hold it for your business purposes. How would you answer the above questions if a client posed them to you?

Evergreen Insurance does not provide specific IT counsel or advice, but shares this message to help clients protect their business interests.

Copyright 2025 Evergreen Insurance

Evergreen Insurance provides these updates for information only, and does not provide legal advice.  To make decisions regarding insurance matters, please consult directly with a licensed insurance professional or firm.