As cybersecurity threats gain attention at the state and national level, and even internationally, the National Association of Insurance Commissioners ("NAIC") Cybersecurity (EX) Task Force ("Task Force") held its inaugural meeting on March 29, 2015 in Phoenix, Arizona to consider a number of issues pertaining to cybersecurity. Prior to this meeting, the Task Force had released for comment its draft Principles for Effective Cybersecurity Insurance Regulatory Guidance ("Draft Principles") and agreed to extend the comment period to April 10, 2015.

The Draft Principles contained a number of important statements and items that demonstrate the direction that insurance regulators may go next, including:

  • Insurance regulators have a significant role and responsibility regarding protecting consumers from cybersecurity risks. (Principle 1).
  • Insurance regulators have a significant role and responsibility regarding the insurers' efforts to protect sensitive customer health and financial information. (Principle 2).
  • Compliance with cybersecurity regulatory guidance must be flexible, scalable, practical and consistent with the national efforts embodied in the National Institute of Standards and Technology framework. (Principle 5).
  • Regulatory guidance must consider the resources of the insurer or insurance producer. (Principle 6).
  • Insurance regulators should provide appropriate regulatory oversight, which includes but is not limited to, conducting risk-based, value-added financial examinations and/or market conduct examinations regarding cybersecurity. (Principle 8).
  • Cybersecurity risks should be included and addressed as part of an insurers and insurance producers Enterprise Risk Management processes. (Principle 12).
  • High level information technology internal audit findings should be discussed at the insurers and insurance producers Board of Director meetings. (Principle 13).
  • Periodic and timely training for employees of insurers and insurance producers regarding cybersecurity issues is essential. (Principle 16).
  • Enhanced solvency oversight is needed for insurers selling cyber insurance to businesses and families. (Principle 17).

Additional data on the sale of cyber insurance products should be collected to assist insurance regulators with oversight of financial and market regulation.

While the NAIC is beginning the process of moving collectively toward what could become model laws, model regulations, or model guidelines to provide a framework for states to develop a uniform regulatory architecture for cybersecurity, other states have been and will continue to move forward.

In addition to the multistate market conduct examinations currently being conducted of Anthem Inc. and Premera Blue Cross in response to cybersecurity incidents at those companies, the New York Department of Financial Services ("New York") has taken a lead role in the cybersecurity arena through two actions.

First, in February of this year, New York issued its Report on Cybersecurity in the Insurance Sector ("Report"). The Report provided a great deal of information regarding a survey conducted by New York regarding cybersecurity issues at a number of insurance companies doing business in New York. The issues included: (i) the insurer's information security framework; (ii) the use and frequency of penetration testing and results; (iii) the budget and costs associated with cybersecurity; (iv) corporate governance around cybersecurity; (v) the frequency, nature, cost of, and response to cybersecurity breaches; and (vi) the company's future plans on cybersecurity.

New York indicated that it expected institutions regulated by the Department to stay current on the changing landscape of cybersecurity, and it plans to proceed with a number of initiatives in the coming months, including: (i) integrating regular, targeted assessments of cybersecurity preparedness at insurance companies as part of the Department's examination process; (ii) putting forward enhanced regulations requiring institutions to meet heightened standards for cybersecurity; and (iii) exploring stronger measures related to the representations and warranties insurance companies receive from third-party vendors.

Second, on March 26, 2015, New York sent a letter pursuant to its authority under New York Insurance Law §§ 308 and 1504(a) to a number of entities, in which it "encouraged all institutions to view cybersecurity as an integral aspect of their overall risk management strategy, rather than solely as a subset of information technology." New York also required that the companies receiving the letter provide to New York certain information on 16 different topics pertaining to their cybersecurity practices. For more on New York activity, including recent legislation requiring businesses to develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of private information, see our Information Intersection Blog.

If these state initiatives were not enough, the federal government is also involved, due to the national security implications of this topic and the fact that it has been widely reported that certain foreign governments may be behind certain cyber attacks. The President of the United States issued an Executive Order in February on promoting private sector cybersecurity information sharing, and the Federal Insurance Office has also been monitoring the issue.

It is clear that state insurance regulators will be reviewing: (i) insurance companies that are providing cybersecurity insurance coverage; (ii) insurance companies' cybersecurity risk management practices; and (iii) ways that state insurance regulators can positively impact the market for cybersecurity insurance coverage, as well as ways that regulators can improve cybersecurity practices by entities subject to state insurance regulation. It will be important to follow this rapidly changing area in order to plan for the rollout of these new initiatives.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.