Statement of Cybersecurity
Cybersecurity is important to Propel Insurance. We make it our business to know our client’s business inside and out, and that includes cybersecurity concerns. We understand we handle sensitive data on behalf of our clients and partners, and we are committed to appropriately securing that data.
Propel Insurance is regulated by the New York State Cybersecurity Requirements for Financial Services Companies (23 NYCRR Part 500). Under that regulation, Propel Insurance has fewer than ten employees located in New York, which does fall under the Limited Exemption in section 500.19(a)(1). The certificate of compliance is filed with the state of New York annually. Propel Insurance also self-regulates under the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and NIST Privacy Framework.
The Cybersecurity Program at Propel Insurance is designed to protect the confidentiality, integrity, and availability of information systems both on-premises and in the cloud. Propel Insurance employs a dedicated information technology team responsible for maintaining these systems, including a dedicated security position. The names and contact information of these individuals can be provided upon request. The team has a budget for on-going education and training to use as appropriate for individual roles. Propel Insurance performs a third-party cybersecurity assessment annually, including vulnerability and penetration assessments.
The Cybersecurity Program is risk-based, following the guidelines in the NIST CSF. An annual risk assessment is performed by an independent third party, and all risks identified are mitigated appropriately. Propel employs cyber security policies and procedures that drive a defensive infrastructure. The raw results of all security assessments – risk, vulnerability, or penetration – are for Propel Insurance internal use only. Similarly, policies and procedures are for internal use only. All policies are management-approved and reviewed annually.
The defensive infrastructure is monitored for both resilience, and for potential security events that take place on Propel Insurance computer systems. The events are reviewed for anomalous activity, and records of these events are kept for each infrastructure system and archived for a period of at least five years. The infrastructure is protected from external threats by both firewalls and anti-virus software. Anti-virus software update files are updated with automated pushes, and patching is performed monthly, in line with vendor releases. The infrastructure is backed up and can be restored if a system outage or other incident occurs.
Accounts and access are reviewed regularly, scheduled based upon the account’s level of access. Accounts with more access are reviewed more frequently. No action may take place on a Propel Insurance computer system without logging into an account. Access to client data is on a need-to-know basis and is audited. Any account found with excessive access is updated immediately to restore baseline role-based access. Account management processes are in place to appropriately handle updates, additions, and removal of accounts. Unattended accounts or computers must be locked.
All access to computing resources is based on multi-factor authentication. Users are required to log in with a username, password, and a second-factor token, such as an SMS code or a smartphone application. The passwords are governed by a policy that includes complexity, length, and age requirements. Passwords are changed every 90 days. Remote work is performed via an AWS Workspace connection. All data remains logically internal to Propel Insurance, per policy. Only authorized employees and escorted visitors are allowed in Propel Insurance facilities.
Propel Insurance does not develop applications in-house. Application and other third-party vendors are vetted for security before the application or product is introduced into the Propel Insurance environment. Third-party vendors do not have access to non-public or personally identifiable information.
All external data in transit is encrypted with Transport Layer Security (TLS). Most employees use a zero-client workstation to connect to an AWS Workspace. Laptops issued to employees and AWS servers are configured to encrypt data at rest. Non-public information is encrypted, retained, and destroyed; with non-digital non-public information destroyed via secure shredding, in accordance with Propel Insurance policies and procedures.
Propel Insurance maintains security incident response plans in conjunction with its Business Continuity and Disaster Recovery plans. Potential security incidents trigger a response and escalation procedure that verifies, contains, remediates, and reports the incident as appropriate. If an incident leads to a potential security breach, Propel Insurance activates its security incident response process. In a scenario where a large-scale breach does occur, Propel Insurance maintains cybersecurity insurance with incident response coverage for additional assistance. If there is a breach, Propel Insurance verifies the scope of the breach and reaches out to technology contacts at affected organizations at the soonest opportunity.
Employee security awareness and response to suspicious activity is everybody’s responsibility at Propel Insurance, and a key contributor to successfully managing cyber security risks. All Propel Insurance employees complete mandatory security training; are required to view monthly online videos on relevant security topics; are subject to periodic phishing test exercises; and are trained on how to report and respond to suspicious content or activity. Access is removed for users who fail testing until remedial training is successfully completed. Employees can face disciplinary action for not participating in the security training, or if they neglect to report timely any commonly known security threat or suspicious activity that leads to a security incident or breach.
Any questions not covered by this statement may be directed to a Propel Insurance representative.