Your AMS system has been compromised! Who is responsible for what?

An agency has legal obligations and exposure.
March 9, 2020

By Chad Guyer

Does your agency have any obligations or exposure when the third-party Agency Management System (AMS) is compromised? The short answer is “yes.” Many of the PIA agents across the country that I have the pleasure of visiting and working with as a Business Development Manager for ABA Insurance Services Inc. understandably, but mistakenly, believe they don’t need cyber insurance when the agency uses an AMS to store their client’s confidential information. Insurance agencies, like doctors’ offices, routinely use third-party vendors to store proprietary and confidential customer (or patient) information and are surprised to learn they may have legal exposure and notification obligations when the AMS is compromised.

At a recent Cyber continuing education class our company hosted for a group of independent agents in Cleveland, Ohio, the extent of misunderstanding about this issue became clear when one of the agents mentioned that his doctor client declined the agent’s suggestion to consider purchasing cyber coverage. The doctor explained that he wasn’t worried about his system being breached because all the patient information was stored by a third-party vendor on a cloud-based storage system.

The presenter quickly pointed out that while the third-party vendor has the responsibility to fix the compromise and notify its customers (in this case the doctor’s office), the doctor’s office may still have legal notification requirements and possible liability as a result of the disclosure of confidential information. A steady murmur took over the rooms as agents began to discuss this shocking revelation that applies to agencies as well! The following morning when I checked my new business submissions there were six new cyber policies from agencies who attended our educational session!

The lesson here is that an agency has legal obligations and exposure even when the agency’s confidential customer information is managed and stored by an AMS. According to a 2018 study by IBM Security and the Ponemon Institute, the average cost of a breach notification is $148 per record. Multiplied by the number of clients and prospects in the agency management system, notifications can become very costly. Cyber policies typically cover the cost of notifying clients and repairing reputational harm, as well as providing credit monitoring or theft protection to those clients whose information was disclosed. Usually, there is also liability coverage for claims brought as a result of the compromised information, which can be expensive to defend and resolve.

It is important that agents make sure they have appropriate cyber coverage even when they use an AMS. It could be the difference between keeping your agency’s doors open, or closing them for good.

Chad Guyer is Business Development Manager of ABA Insurance Services


This article is for informational purposes only.  Any views or opinions expressed are the author’s; shall not be construed as legal advice; and do not necessarily reflect any corporate position, opinion or view of ABA Insurance Services Inc., or its affiliates, or a corporate endorsement, position or preference with respect to any contractual terms and provisions or any related issues. If you have any questions or issues of a specific nature, you should consult appropriate legal or regulatory counsel. Cyber policies are underwritten by Great American E&S Insurance Company, a DE domiciled surplus lines insurance company, eligible to underwrite surplus lines insurance in all 50 states and the D.C.  ABA Insurance Services Inc. is an OH domiciled agency with its principal place of business at 3401 Tuttle Rd., Suite 300, Shaker Heights, OH 44122. CA license # 0G63200. This is not intended as a solicitation or offer to sell an insurance product in a jurisdiction in which the solicitation, offer, sale or purchase thereof would be unlawful. 022020


Navigate in this section: