Cybersecurity Getting Tougher for U.S. Insurers
Cybersecurity has emerged as one of the most critical issues facing government and industry alike. Press headlines highlight major cybersecurity events involving a wide range of businesses almost every day. The cyber events are sparking conversations across the global corporate spectrum. Not surprisingly, these headlines and conversations have attracted the attention of insurance regulators and trade organizations.
Of particular note, the New York Department of Financial Services (DFS) has taken significant actions in the area of cybersecurity. Other U.S. state insurance regulators are likely to follow New York’s lead. Insurance companies face unique risks in the area of cybersecurity because of the large amounts of personally identifiable and, in certain instances, health-related or financial information they collect and maintain. This information is an attractive target for hackers and cyber-terrorists.
Cybersecurity has been a topic of increased focus for the insurance industry over the past year. To this end, the National Association of Insurance Commissioners (NAIC) established a Cybersecurity Task Force to monitor developments in the area of cybersecurity and to advise, report and make recommendations to the NAIC Executive Committee on cybersecurity issues that have an impact on the insurance industry. The NAIC has also established a set of Principles for Effective Cybersecurity Insurance Regulatory Guidance, aimed at protecting “the insurance sector’s data security and infrastructure.”
These principles, which the NAIC Cybersecurity Task Force approved and adopted in April 2015, establish insurance regulatory guidance relating to planning for cyber crisis response, managing the security of third-party vendors, including cyber risk as part of corporate enterprise risk management, utilizing encryption technology when handling sensitive data, and training employees to become more aware of cybersecurity risks. The principles provide a helpful, high-level framework for the insurance industry.
More recently, in October, the NAIC issued a “Cybersecurity Bill of Rights” that is aimed at educating consumers and serving as a guide for insurers on cybersecurity issues. The Bill of Rights has been described by one insurance commissioner as a road-map for future model NAIC privacy laws and regulations.
In February 2015 the DFS emerged as the first insurance regulator to offer comprehensive guidance on cybersecurity when it issued its “Report on Cyber Security in the Insurance Sector.” The report marked the culmination of work that started in 2013 with a survey to assess cybersecurity policies and processes of more than 40 New York domiciled insurance companies with combined assets of over $3 trillion. The objective of the survey was to obtain a horizontal perspective of the insurance industry’s efforts to prevent cyber crime, protect consumers and clients in the event of a breach, and ensure the safety and soundness of the insurance organizations.
The report found that almost all of the insurers surveyed have an information security framework in place that includes:
- Written information security programs
- Security awareness and education for employees
- Information security audits
- Cyber incident monitoring
However, the report recommended that in addition to these framework components, insurance companies should participate in the Financial Services - Information Sharing and Analysis Center (FS-ISAC) to obtain and share additional information regarding cybersecurity events and practices. FS-ISAC is a resource for cyber and physical threat sharing and analysis for global financial services companies.
The report included several additional observations and recommendations:
1. DFS determined that over 40% of the companies that responded to its survey had conducted a single penetration test each year to simulate a cybersecurity attack.
2. While 35% of the insurance companies surveyed had experienced between one and five security breaches in the prior three years, 5% indicated they have experienced at least 10 cyber attacks.
3. Only 14% of CEOs receive monthly information security briefings.
In December 2014 DFS announced plans to incorporate periodic assessments of cybersecurity preparedness as part of its reviews of banks it regulates. According to DFS, those plans include examining the banks' existing protocols for the detection of cyber breaches and penetration testing, corporate governance related to cybersecurity, defenses against breaches such as multi-factor authentication, as well as the security of their third-party vendors.
In March 2015 DFS requested that New York insurers prepare a comprehensive risk assessment of cybersecurity. The assessment included 16 questions, many of which were meant to determine what insurers are doing to assess their third-party vendors and providers regarding safeguards and responses to breaches.
DFS further stated that it “expects to proceed with a number of initiatives to help strengthen cyber security at its regulated insurance companies,” which includes “regular targeted assessments of cyber security preparedness at insurance companies as part of the Department’s examination process; putting forward enhanced regulations requiring institutions to meet heightened standards for cybersecurity; and exploring stronger measures related to the representations and warranties insurance companies receive from third-party vendors, and other measures.”
In July 2015 the NAIC’s Cybersecurity Task Force announced that it would be coordinating with state insurance regulators to conduct examinations of insurance companies to verify that companies are taking appropriate steps to protective sensitive data.
While the details of the cybersecurity measures from DFS remain to be seen, it is clear that cybersecurity is receiving significant attention from one of the country’s leading insurance regulators. Not only is the guidance from DFS instructive for insurers across the country, but it likely provides a preview of guidance and regulations that will be issued by insurance regulators across the U.S. in the coming months. DFS’s report and the NAIC’s guidance present an opportunity for insurers of all sizes in all markets to assess their cybersecurity preparedness in the face of an issue that will likely become more challenging for years to come.