On February 8, 2015, the New York State Department of Financial
Services ("NYDFS") announced that it will soon begin
making targeted cybersecurity assessments of insurance companies
and that it plans to issue regulations setting heightened security
standards. The announcement coincides with the agency's release
of a Report on Cyber Security in the Insurance
Sector (the "Report"), which provides a cross-section
review of the cybersecurity practices and experiences of 43
insurance providers. The Report also reflects a growing trend by
state regulators seeking to promote better safeguards of consumer
information.
Although the Report covers the full range of NYDFS-regulated
insurance companies, nearly half of the entities surveyed are in
the health insurance sector. Health insurers typically possess vast
amounts of protected health information and hence are a significant
focus of the Report and the agency's reference to future
actions. NYDFS gave few details about its regulatory agenda but did
explain an intention to start acting in the "coming weeks and
months." The following provides a basic overview of the
Report.
Report Describes Industry Practices and Cybersecurity Gaps
The Report surveys the state of cybersecurity preparedness in
the insurance sector and identifies the areas that might become the
subject of regulatory oversight. The Report confirms the broad
reach of cyber threats: about 42 percent of large and small
insurers reported having experienced at least one breach within the
last three years.
NYDFS expressed concern that some companies still do not conduct
cybersecurity audits of their third-party service providers. Under
agreements with insurance companies, third-party vendors often
receive access to protected data, but they may not be subject to
the company's cybersecurity program. NYDFS plans to impose
heightened requirements on these third-party vendors through new
regulations for insurers. Additionally, NYDFS encouraged insurers
to participate in information-sharing activities, such as the
Financial Services–Information Sharing and Analysis Center
("FS–ISAC") that, among other things, helps
identify threats experienced by participating members.
Other notable findings in the Report include:
- Most surveyed companies have designated information security executives, although only 14 percent said their CEOs receive monthly briefings on cybersecurity.
- Thirty-three percent of the companies that experienced a data breach did not consider the breach sufficiently significant to warrant notification to any third party. Also, most firms reported suffering no financial loss and having no cases of identity theft from the breaches.
- More than 95 percent of insurers reported having adequate staffing levels for information security, corresponding with increases in budgets that most security departments experienced over the last three years.
States Trending Toward More Active Oversight of Information Security
These announcements come on the heels of other cybersecurity
initiatives recently adopted in New York. At the end of last year,
NYDFS issued guidance to its banking sector
regarding the agency's new procedures for examining
cybersecurity programs of banks. Separately, as of 2014, NYDFS
requires certain insurance companies to file annual enterprise risk
management ("ERM") reports identifying material risks to
their operations. According to the Report, most of the initial ERM
filings by insurers do not disclose cybersecurity as a stand-alone
risk. The authors of the Report expect future ERM filings will
include more frequent, and more detailed, discussions of
cybersecurity risks.
These recent actions follow a concerted effort among states to
provide regulatory oversight for cybersecurity preparedness in the
absence of federal standards. In November 2014, the National Association of Insurance Commissioners
established a special task force charged with exploring
potential frameworks that state insurance examiners could use in
assessing insurance companies' cybersecurity programs.
In light of these policy developments, insurers should review the
Report and continue monitoring the regulatory activities of New
York and other states.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.