Protecting Customer Data with

TLS eMail Security

Security, privacy and peace of mind – the importance of TLS eMail Security to the P&C insurance industry.

May 2015

© 2015 Centre for Study of Insurance Operations

110 Yonge Street Suite 500 Toronto, ON M5C 1T4 www.csio.com

Table of Contents

2

Why TLS Should Matter to Brokers................................................3

What is Transport Layer Security?................................................4

What Are the Risks to Brokers of Not Adopting TLS?..................4TLS Helps Brokers Stay Within their BMS.....................................5

Many Insurers and Brokers Already Use TLS................................6

How Much Will TLS Cost Brokers?....................................................6 How Quickly Can Brokers Implement TLS?...................................6How Will TLS Affect a Broker’s Customers?..................................7

Other Benefits of TLS..........................................................................7 CheckTLS.com.......................................................................................7Are Public Email Services TLS Enabled?........................................8

How Do I Implement TLS?..............................................................9

CSIO Broker Member Adoption - TLS Map......................................9TLS Resources................................................................................10

CSIO Webinar on TLS........................................................................10 CSIO Articles on TLS.........................................................................10TLS eMail Security Infographic....................................................11

Why TLS Should Matter to Brokers

T ransport Layer Security (TLS) is a readily available and inexpensive eMail Security solution that encrypts emails for maximum confidentiality. Since CSIO first began promoting this technology in 2013, more brokers and insurers have adopted it.

All brokers are concerned about protecting the integrity and confidentiality of their customers’ information. An incredible amount of sensitive customer information is transferred between brokers and insurers on a regular basis via email.

Many brokers are still exchanging unsecured emails over the open Internet with the private information of their customers. If an unsecured email containing customers’ personal information is intercepted, the brokerage’s reputation could be severely damaged. Brokers can properly secure these emails and protect their customers’ information by adopting TLS.

3

“Brokers need to be prudent when transmitting the personal information of clients electronically. TLS is an effective tool to allow them to do that in a prudent fashion. PIPEDA and privacy are important matters we think about when we’re putting procedures in place and setting up systems. When setting up systems, you need to give an appropriate level of thought to ensure that you’re doing everything you can in order to protect privacy.”

Ted Harman

President, Accent Insurance Solutions

Vice-Chairman, CSIO Board of Directors

What is Transport Layer Security?TLS can be used to create a secure environment for web browsing and emailing. TLS can reduce the risk of a third party intercepting, tampering or forging any of your email communications. To accomplish this, each party needs to enable a security certificate on their email server. Once in place, TLS automatically secures email transmissions from one server to another using encryption technology.

TLS operates invisibly and requires no user intervention – the user experience is identical to regular email, whether communicating with a TLS-enabled party or not.

What Are the Risks to Brokers of Not Adopting TLS?

There are major security risks of not adopting TLS. Without TLS, a broker’s emails could be intercepted and altered by a malicious third party. Some brokers might think, “that’ll never happen to me. There’s no one trying to compromise my email system.” But the reality is: it could happen to anyone in any industry that uses email communication on a regular basis.

There are computer programs called “spambots” that regularly harvest email addresses from material found online. The spambots are often capable of cracking passwords and sending spam using other people’s accounts, a process known as “phishing” or “spoofing.” This could lead to email fraud if a broker’s customer is tricked into clicking on links and sending out personal information to an account that looks legitimate but actually is not. TLS can help prevent:

• Email message forgery

• Email interception/tampering

• Email phishing/spoofing

Spambots are also capable of harvesting a broker’s email address book and sending fraudulent emails to a broker’s entire contact list. This, of course, would be a nightmare situation for brokers that would probably result in at least some lost business and harm to the broker’s professional reputation. Implement TLS in order to feel confident that your brokerage will avoid such a situation.

4

TLS Helps Brokers Stay Within their BMSA major reason why brokers continue to have to leave their broker management system (BMS) is because insurers are not convinced of the security measures of some brokers’ existing communications. Therefore, insurers are asking brokers to enter company-specific portals to complete sensitive claims information.

TLS addresses that security deficiency, allowing brokers to stay within their BMS to email attachments and documents to insurers, saving time and streamlining workflows.

5

“Because of TLS, we don’t have to use company portals as much, which tend to be cumbersome for CSRs to launch and navigate. It’s so much faster to attach a PDF to an encrypted email and fire it off to the company. It can take five to ten minutes to do a simple change in a company portal, whereas the same change in our BMS would take maybe three minutes. So, CSRs are able to complete a higher volume of work in a day and that means a higher level of efficiency.” Aaron Sargeant

IT Supervisor

Darling Insurance

Many Insurers and Brokers Already Use TLSA lot of progress has already been made with TLS in the broker channel, so brokers should rest assured that they are not starting from scratch on this initiative. A growing number of insurers and brokers have already adopted TLS. The consensus among these insurers and brokers is that there is a need to protect the sensitive information that they exchange via email from tampering by third parties. Many insurers have already implemented TLS, and others plan to convert to it as soon as possible.

But the TLS initiative will only be successful for the entire broker channel if it achieves widespread adoption.

How Much Will TLS Cost Brokers?

There is a very low implementation cost associated with TLS. Brokerages need only purchase TLS certificates for their servers, rather than large numbers of enterprise certificates for all customers. These certificates can be purchased online from several resellers and they typically range in cost from $45 - $100 per year.

There is typically no need to purchase any software for a TLS implementation. However, if you lack an email server, you may consider Microsoft Exchange Online, approximately $4.00 – $10.00 per user per month. With this service, you can host your email on Microsoft servers over the Internet.

How Quickly Can Brokers Implement TLS?

TLS allows for rapid deployment. Workstations do not require any additional configuration; only servers need to be modified. The configuration process is also straightforward. Time to value is measured in days and weeks, not months and years.

6

How Will TLS Affect a Broker’s Customers?As a broker, your customers will have no idea that an extra layer of security has been provided to their personal information using TLS, unless you tell them. TLS email encryption is invisible to both the sender and the receiver. Both parties will send and receive emails the same way as they do without TLS. No special software is installed on customer machines.

Other Benefits of TLS

• Easy to implement in all corporate email environments

• Encrypts both text and attachments

• Globally accepted and currently available on most email servers

• A widely recognized standard issued by the Internet Engineering Task Force (IETF)

• Email can be easily inspected for viruses

• Increased compliance with privacy legislation such as the Personal Information Protection and Electronic Documents Act (PIPEDA)

CheckTLS.com

CheckTLS.com is a useful resource that allows anyone to check any email address for TLS encryption. Brokers can take advantage of this tool to determine whether or not a customer or insurer they are dealing with has TLS enabled.

Simply enter an email address into the “Address” field on the website, click “Try It” and wait for the results to display.

7

Are Public Email Services such as Gmail and Yahoo! TLS Enabled?Many public email services – including Gmail and Yahoo! – are now TLS enabled.

Regarding Gmail, Google writes on their blog, “Starting today, Gmail will always use an encrypted HTTPS (TLS-encrypted) connection when you check or send email.” (2014)

Regarding Yahoo!, a source writes “Yahoo Mail had support for full-session HTTPS—SSL/TLS encryption over HTTP—since late 2012, but users had to opt in to use the feature. Tuesday, the company delivered on a promise that it made in October to enable encryption for everyone by default by January 8.” (PCWorld, 2014)

Google has put together a Transparency Report for TLS that shows the amount of email encrypted in terms of volume of email to and from Gmail. You can select by region, or perform a search on a domain to see how much of the email exchanged with Gmail is encrypted.

This means that more and more insurance customers are using email addresses with TLS encryption. However, if unsure, brokers should still determine whether or not a customer’s email is TLS enabled by using CheckTLS.com.

If the customer’s email is not TLS enabled, the broker could consider asking that customer if they have another email that could be used – perhaps with Gmail or Yahoo! – before any sensitive information is transacted.

8

How Do I Implement TLS?

Contact your IT support provider and ask about implementing TLS in your organization to realize the benefits of having the best low-cost email security solution available.

Also refer to our Transport Layer Security (TLS) Implementation Guide, available on CSIO.com. This document will help IT providers expedite the TLS implementation process.

CSIO Broker Member Adoption of TLS - Interactive Map

CSIO undertook a study to determine the implementation of TLS among its broker members across Canada. The results were used to produce the following interactive map, which illustrates brokerage adoption of TLS for each province:

(Data current as of May 2015)

9

TLS Resources

CSIO Webinar on TLS

Implementing an Effective Information Security Program: Safeguarding Network Data and Email with TLS

CSIO Articles on TLS

You’ve Got (Secure) Mail, Top Broker

TLS: A Small Price to Pay for Data Protection, Liaison

Providing Client Peace of Mind with TLS, Sask Broker

A Small Price to Pay for Substantial eMail Security, Atlantic Broker

TLS Provides TLC for Client Data, Ontario Broker

The Industry Solution for eMail Security, BC Broker

eMail Security with TLS, Alberta Broker

10

“We heard about the benefits of TLS and at the low price of installing it, it was an easy decision for our office. The obvious benefit is the encryption, which allows us to feel more confident about the security behind the emails that we’re constantly sending.”

Rick Orr

Owner, Orr Insurance & Investment and CSIO Board Member

Slide from TLS webinar

TLS eMail Security Infographic

11

View the full infographic here on CSIO.com.

About CSIO

References http://checktls.com/

https://www.google.com/transparencyreport/saferemail/

http://www.ietf.org/rfc/rfc5246.txt

http://www.google.com/support/enterprise/static/postini/docs/admin/en/admin_ee_cu/ib_tls_overview.html

http://gmailblog.blogspot.ca/2014/03/staying-at-forefront-of-email-security.html

http://www.pcworld.com/article/2085700/as-yahoo-makes-encryption-standard-for-email-weak-implementation-seen.html

CSIO is Canada’s industry association of property and casualty

insurers, brokers and software providers. CSIO is committed

to improving the efficiency and competitive position of the

broker distribution channel by overseeing the development,

implementation and maintenance of technology standards and

solutions such as eDocs, Telematics and eSignatures. In addition,

CSIO continues to maintain and operate the industry-owned EDI

mail network service, CSIOnet. CSIO maintains offices in Toronto

and Montreal. For more information, visit www.csio.com.