Cybersecurity continues to be an emerging regulatory issue in the insurance industry, as evidenced by recent actions taken by the New York Department of Financial Services (the “DFS”) and the National Association of Insurance Commissioners (the “NAIC”). Specifically, in a letter dated March 26, the DFS followed up its February 2015 Report on Cybersecurity in the Insurance Sector by requesting information on insurers’ cybersecurity safeguards. Additionally, the NAIC’s Cybersecurity (EX) Task Force held its first public meeting, at which it announced its work plan for 2015.
A. New York Section 308 Letter
On March 26, the DFS issued an information request under Section 308 of the New York Insurance Law to the chief executive officers, general counsels and chief information officers to the largest writers of life, property & casualty, and health insurance in New York (the “Section 308 Letter”), requesting a confidential report on their cybersecurity preparedness. The report is due April 27.
The Section 308 Letter requests detailed information on the cybersecurity safeguards that each company has in place, including its vulnerability management program, its patch management program and its access management system.
Continuing themes in the DFS Report on Cybersecurity in the Insurance Sector issued in February 2015 (See Sutherland Legal Alert) and public statements by the Superintendent, Benjamin Lawsky, the Section 308 Letter asks companies to describe their current use of multifactor authentication and to describe how information security is incorporated into the company’s business continuity and disaster recovery plan. The Section 308 Letter also asks extensive questions about a company’s information risk management of vendors, including the following:
- Describe your institution’s due diligence process regarding information security practices that are used in vetting, selecting and monitoring third-party service providers;
- Provide a copy of any policies and procedures governing relationships with third-party service providers that address information security risks, including setting minimum information security practices or requiring representation and warranties concerning information security; and
- Describe any protections that your institution uses to safeguard sensitive data that is sent to, received from, or accessible to third-party service providers, such as encryption or multifactor authentication.
We observe that the questions asked by the DFS align with the questions identified in the SEC’s 2014 Risk Alert on cybersecurity as SEC examination priorities for 2015. It is important to also recognize that, due to certain provisions in New York law, the answers provided to the DFS can be shared with other regulators, including the SEC.
B. NAIC Spring National Meeting – Meeting of the Cybersecurity (EX) Task Force
The Cybersecurity (EX) Task Force held its first public meeting on Sunday, March 29, during the NAIC’s Spring National Meeting in Phoenix. The meeting room was filled to capacity, with representatives of nearly every state in attendance.
1. The Task Force’s Work Plan
Commissioner Adam Hamm (North Dakota), Chair of the Task Force, began the meeting with an overview of the Task Force’s work plan. The plan includes:
- Issuance of a survey to states on cybersecurity measures—to be completed for discussion and reported during the NAIC’s 2015 Summer National Meeting in August.
- Development of a “Consumer Bill of Rights” to inform consumers of their rights when a data breach has occurred.
- Staying abreast of information-sharing measures.
- Work on NAIC model laws—Commissioner Hamm specifically mentioned the Health Information Privacy Model Act (Model 55); the Privacy of Consumer Financial and Health Information Regulation (Model 672); the Standards for Safeguarding Customer Information Model Regulation (Model 673); and the Insurance Fraud Prevention Model Act (Model 680).
Echoing remarks he made earlier this month, New York Superintendent Lawsky added that the Task Force will look at multifactor authentication and encryption of data at rest. He also noted that the Task Force would look at regulated entities’ vendor practices, commenting that a company’s cybersecurity is only as good as its worst vendor.
2. Anthem Briefing
The main event at the meeting was a briefing given by Anthem’s chief information officer (Tom Miller) and general counsel (Tom Zielinski) relating to the data security breach that Anthem announced earlier this year. This public briefing was apparently preceded by a closed-door meeting with the various state insurance commissioners.
As reported by Mr. Miller, the Anthem breach was the result of an advanced persistent threat that utilized customized malware to bypass or penetrate Anthem’s firewalls. The “threat actors” used external control systems to scan the IT environment until they found a compromise. They then disguised themselves as real users, which made it difficult for Anthem to detect. When Anthem noticed that a query was running by a non-owner of a user ID, it shut down all non-multifactor identification access, disabled and reissued all user IDs under new credentials, and took other measures to “harden” the system. Anthem was aware that the “threat actors” tried to get back in the system after these measures were taken, without success.
In response to Superintendent Lawsky’s earlier comment on encryption, Mr. Miller noted that even if its data had been encrypted at rest, Anthem still would have been hacked because the hacking was due to compromised passwords. As a result, response efforts were focused on dual-factor authentication.
Mr. Zielinski reported that Anthem made a strategic decision to go public with news of the breach through The Wall Street Journal and other media outlets. Mr. Zielinski also reported that Anthem started mailing at a rate of 1.5 million letters per day. The pace was set to manage incoming calls to call centers, and eventually reached up to 2.5 million per day. Anthem also sent e-mail notifications to its customers if Anthem had e-mail addresses, but Mr. Zielinski noted that Anthem did not have many current addresses. He reported that the sign-up rate for identity protection services is roughly in line with historical rates of about 5%.
Mr. Zielinski also noted that the FBI monitors “black market” sites for the sale of stolen personal data and it has reported it has no knowledge of Anthem information having been published.
A regulator asked if Anthem plans to provide a more permanent remedy beyond the two years of free identity protection services that it has offered. The Anthem representatives responded that most companies that were hit with attacks before Anthem offered only one year of free services, which is in line with the experience that compromised personal data will be used within six to nine months of attack. Anthem has gone beyond what these companies have done by increasing the period of free services to two years.
Superintendent Lawsky also asked what Anthem would do differently to prevent the breach, based on its experience, so that regulators can consider requiring this conduct from all industry participants to ensure a level playing field. Mr. Miller’s response was simply to “move faster,” noting that security is not a static issue and that levels of security are always increasing.
3. IT Examinations
Patrick McNaughton (Washington) provided an overview of the IT Examination (E) Working Group of the Examination Oversight (E) Task Force. Mr. McNaughton, who has served as Chair of the Working Group for nine years, noted that the NAIC Examiners Handbook has had a section on IT examinations for 20 years. He noted that every state is required to use certified experts in IT in review of data control systems during financial examinations, which is an accreditation requirement for multistate examinations. He also explained the differences between what examiners and security consulting firms do: examiners make sure the regulated companies are hiring the right kinds of firms to do the right kinds of audits and testing, while the security firms hired by the regulated entity will actually audit and engage in penetration testing.
4. Guiding Principles
The Task Force concluded its meeting by receiving comments on its proposed Principles for Effective Cyber Security Insurance Regulatory Guidance (the “Principles”). The principle that generated the most comments from interested persons was Principle 5, which provides that “compliance with cybersecurity regulatory guidance must be flexible, scalable, practical and consistent with national efforts embodied in the National Institute of Standards and Technology (NIST) framework.” Several interested persons noted that the NIST should not be the only standard considered, and instead urged consideration of multiple standards. Industry commenters also questioned the appropriateness of Principles 17 and 18, which include oversight of cybersecurity insurance products. These commenters noted that there should be no differentiation between the oversight of other lines of business, and that impediments to participation in the cybersecurity markets should not be created.
The Task Force set April 10 as the deadline for comment on the Principles. A conference call for discussion of the comments received and the adoption of revised Principles will be scheduled for April 16.