For Houston insurance agencies
Lose your appointment after an incident and you lose the book, and the technology bill becomes the smallest part of the loss. I put the security controls in place that protect the client information you must safeguard, so you can answer the carrier security questionnaire honestly and your own coverage holds when you need it.
Proof beneath: GLBA Title V, Texas Insurance Code and Texas Business and Commerce Code Chapter 521. This is a plan, not a compliance guarantee.
Your agency holds dates of birth, Social Security and driver license numbers, medical details on life and health applications, and bank information for drafts. That is exactly the data criminals want, and a breach is no longer just an IT problem. It is an appointment problem and a reputation problem.
The threat is not theoretical for small offices. In the 2025 Verizon Data Breach Investigations Report, ransomware was present in 88 percent of breaches at small and medium businesses (Verizon 2025 DBIR). Agencies are squarely in that group. Wire and payment fraud is part of the picture too: the FBI's Internet Crime Complaint Center reported $16.6 billion in total losses in 2024, with business email compromise alone accounting for about $2.8 billion (FBI IC3 2024 Internet Crime Report), and an agency inbox is a rich target.
The same controls do double duty. They protect client information, and they are the exact controls a carrier or E&O underwriter asks about, so this work also keeps you able to qualify, bind, and keep a claim from being denied. Spending a little on prevention is small next to losing a book of business.
Yes. GLBA covers a much wider set of businesses than the word "bank" suggests. Selling insurance, advising on it, and handling the customer information that comes with it are financial activities, so your agency is almost certainly a financial institution with a duty to protect nonpublic personal information under GLBA Title V (15 U.S.C. 6801 et seq.).
So if you have wondered whether GLBA touches your agency because you are "just" an agent and not a bank, it does. The harder question is not whether you are covered. It is which regulator writes and enforces the data-security rules you have to follow.
For insurance, normally the state. Under GLBA section 505 (15 U.S.C. 6805), rulemaking and enforcement for businesses engaged in insurance is allocated to state insurance authorities, not the Federal Trade Commission. The FTC Safeguards Rule has a defined scope under 16 CFR 314.1(b): it applies to financial institutions under the FTC's jurisdiction that are not already under another functional regulator. That carve-out pulls most insurance agencies out from under the FTC and places them under their state insurance department instead.
One exception catches agencies off guard. If your office does more than sell insurance, the other activity can pull part of your operation back under the FTC Safeguards Rule. The 2021 amendments even added "finders" who bring buyers and sellers together (16 CFR 314.2(h)). If you also prepare taxes, broker loans, or provide another listed financial service, that line of business can carry its own FTC obligations regardless of how your insurance side is regulated.
Even when it is not the binding rule, the FTC's 16 CFR 314.4 is the clearest plain-language checklist of what regulators care about: a written security program, a named person to run it, a risk assessment, access controls, encryption, MFA, testing, training, vendor oversight, and an incident response plan. State insurance requirements and the FTC framework implement the same statute, so they ask for the same core things.
Here is the honest version, because this is widely muddled. Texas has not adopted the NAIC Insurance Data Security Model Law. As of the NAIC's 2025 state tracking, Texas shows no current adoption activity (NAIC, Insurance Data Security Model Law state tracking). So there is no Texas insurance-specific cybersecurity statute today. Do not let a vendor scare you with one that does not apply.
Your real, present obligations are GLBA, the Texas breach law, and your carrier contracts. Texas requires businesses that hold sensitive personal information to use reasonable safeguards and to notify affected people after a breach, under the Texas Identity Theft Enforcement and Protection Act (Texas Business and Commerce Code Chapter 521).
The point to be confident about is the structure: GLBA covers you, the state and not the FTC normally enforces the security rules for your insurance business, and the exact Texas requirement is the kind of thing you should confirm against the current rule for your license rather than take from a blog post.
They are pricing your risk. Cyber and errors-and-omissions underwriters increasingly require controls before they bind or renew, and they ask you to attest to them. Attesting to controls you do not have can void coverage when you need it most. Here is how a typical break-fix IT relationship compares with how I work.
| Typical break-fix IT | Arain Systems |
|---|---|
| Fixes things when they break | Owns your security controls year round |
| Generic small-business support | Built only for financial and medical offices |
| Cannot speak to GLBA or carrier forms | Maps your controls to what carriers ask |
| No record of who can see client NPI | Starts with a written map of your exposure |
Identity
MFA across email and every system that touches client nonpublic information, set up so the attestation you sign on the carrier form is actually true. Signing for a control you do not have is what voids a claim later.
Access
Producers and CSRs see only the client data their role needs. We start with a written map of who can reach which nonpublic information, so a single compromised login does not expose the whole book.
Continuity
Backups that are isolated and actually restored on a schedule, so an outage does not stop renewals and claims. You own the backups and the runbook, never locked in, including to us.
Enforced email authentication and mailbox-rule monitoring, because an agency inbox is where wire and payment fraud starts. The same control the underwriter asks about closes the door a criminal walks through.
I begin with a fixed-scope gap assessment against GLBA safeguarding duties, the Texas breach law, and the security questions your carriers and E&O insurer are asking. You get a written report ranked by risk and a plan you keep, whether or not you hire me. This is a gap assessment and an ongoing program, not a certification.
Written by Hammad Arain, founder of Arain Systems. CCNA, CompTIA Security+, Microsoft AZ-104. Updated June 2026. Educational, not legal advice.
I check how a fraudulent instruction would move through your agency today and where your controls stand against the carrier questionnaire, then give you written findings. No commitment, yours to keep.
Get my free review