The last presentation at the recent YAC Sales & Leadership Conference was on cyber security and it included a demonstration of just how vulnerable an insurance agency or any other business can be to a cyber attack. One of the agents at the conference agreed to allow his agency to be the subject of a cyber attack by the presenters.
This attack did not involve a sophisticated attempt to penetrate the agency’s servers via their connection to the internet, as is seen most often in the movies and on TV. Instead, the presenters sent e-mails from what appeared to be the agent’s e-mail address to 15 or so employees of the agency. The e-mail contained only publicly available information about the agent and the agency. It also contained a link that asked the recipient to provide certain information, which if provided would have allowed a true hacker to access to all the information on the agency’s computer system. That link could have just as easily installed malware on the agency’s computer system with the same result.
Even though the e-mail was sent late at night and contained many typos, two of its recipients clicked on the link and one provided the information necessary to allow a hacker to gain access to the agency’s computer system. This result is consistent with the fact that the majority of successful cyber attacks on businesses involve employees doing something they should not have done. It also emphasizes the fact that cyber security is not just limited to having firewalls and detection software installed on an agency’s servers and desktops. While important to do, it is even more important for an agency to train its employees on what not to do when receiving and responding to e-mails during the course of the work day.
Such training should involve what warning signs to look for in the e-mails they receive that may indicate the e-mails are really from hackers trying to gain access to the agency’s computer system. Two of those signs were present in the e-mails sent to the above agent’s employees, late at night and many typos. Mismatched URL’s and misleading domain names are two other such signs (click here for a list of ten such signs.)
The damage that can be done by a hacker who has gained access to an agency’s computer system is limited only by the imagination of the hacker. Click here for an example of how the information in that system can be used to create fake e-mails to the agency’s customers that ask for money to be sent to a fake bank account. Click here for an interesting video from Hewlett-Packard that explains how printing a coupon sent to an employee by a hacker can result in the hacker gaining access to a business’ computer system.
It’s not enough to protect an agency’s computer system with firewalls and detection software. Its employees must also be trained to spot phishing e-mails, which training must be ongoing to keep up with the latest versions of such e-mails.
In October of last year, I wrote a post that summarized my opinion on the question of when and how an insurance agent may pay a fee to an unlicensed person for the referral of a potential customer to the agent by that person. That post was written from the perspective of whether and when the Georgia Insurance Code would permit the payment of such fees. It did not take into consideration, any other laws or regulations that may be applicable to the person to whom the referral fee was to be paid.
A recent call to the Free Legal Service program that I run for the members of the Independent Insurance Agents of Georgia made me think about such other laws and regulations. The caller mentioned that an agent he knew had been told that it was illegal to pay a referral fee to a real estate agent or mortgage broker under the Real Estate Settlement Procedures Act (“RESPA”). That Act prohibits both the payment and the acceptance of “any fee, kickback, or Thing of Value” in connection with “business incident to or a part of a real estate settlement service involving a federally related mortgage loan.” The criminal penalty for the violation of this prohibition is a fine of up to $10,000 and up to one year in prison, and the civil penalty is payment of three times the amount charged the borrower for the settlement service in question, plus attorney fees and other costs of litigation. Both the payer and the recipient of a prohibited referral fee are subject to these penalties.
The RESPA prohibition on fees, kickbacks, and things of value applies only to residential mortgage loans for real property designed principally for “the occupancy of from one to four families.” It also applies only to services that are “incident to or a part of” the settlement of such loans. The statute refers specifically to title insurance and services performed by real estate agents or brokers as being covered by this prohibition. Nothing is said in the statute or regulations about the provision of property and casualty or any other kind of insurance to the borrower of a covered loan.
However, if the existence of such other insurance coverage is required by the lender of a covered loan in order for the loan to be “settled”, a good argument can be made that the provision of such insurance is “incident to or a part of” the settlement of the loan. If a charge for the cost of such insurance is included on the settlement statement for the loan, this good argument becomes a convincing argument. For an agent who is considering paying a referral fee to real estate agents, mortgage brokers, or lenders for the names of home buyers who may need property and casualty or other insurance coverages to obtain a loan, it would be a good investment to pay an attorney for a legal opinion on whether the payment of such a fee is prohibited under RESPA.
For a referral fee arrangement with any other person, it would be a good idea to ask that person if their activities are subject to any laws or regulations that may prohibit the payment of such fees. As the above makes clear, just because it may be legal under the Georgia Insurance Code to pay a referral fee does not mean it’s permissible under all other laws and regulations.