Security experts are warning that 2015 is the “Year of the Healthcare Hack” as media outlets continue to report on a number of high-profile companies that have recently experienced attacks by cybercriminals seeking valuable personal information. Anthem Inc., the second-largest U.S. health insurer, made public a massive breach of its database containing nearly 80 million records of both customers and employees, leading to investigations by state and federal authorities. Primera Blue Cross subsequently reported that it was the victim of a network intrusion, resulting in the breach of financial and medical records of 11 million customers. Several of the world’s largest financial companies have also been victims of large and costly attacks. These are just the latest in an increasingly alarming trend of bigger and more brazen hacks of major institutions.

According to a study jointly conducted by McAfee and the Center for Strategic and International Studies last year, cybercrime may cost the world as much as $575 billion per year, but an accurate assessment is difficult because many attacks go undetected or unreported. Local, state and federal authorities are now taking a more aggressive approach to investigating these attacks and to creating new regulations that will protect personal information. Financial institutions and insurance companies should stay apprised of developments in this field to protect themselves from major economic damage.

The Status of Cybersecurity RegulationAs public pressure for a response by governments and companies continues to grow, it is increasingly likely that more-stringent standards for cybersecurity will be required by various regulators, or serve as the basis for tort liability for companies that do not adequately protect their IT systems. Longer term, it is possible that Congress will enact new legislation to give the federal government authority to regulate key areas of IT infrastructure. President Obama’s May 2014 Executive Order (EO) 13636, entitled “Improving Critical Infrastructure Cybersecurity,” called on Executive Branch agencies to review their regulations; namely, the Environmental Protection Agency (EPA), the Department of Health and Human Services (DHHS), and the Department of Homeland Security (DHS). However, the major outcome was that the administration agreed to continue a voluntary approach to cybersecurity regulation.

The Health Insurance Portability and Accountability Act (HIPAA) gives DHHS authority to promulgate and enforce regulations regarding the information security measures that health care entities and their associates must employ to protect sensitive information of patients. Other agencies may also claim to have authority to enforce information security measures against such health care entities.  In addition, Congress is currently considering the Data Security and Breach Notification Act, which would supplant state security laws across the nation, but such legislation has been considered before and is still a long way from passing. In the meantime, it will be up to state legislatures and executives to lead the way.

Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring companies or government entities to notify individuals of security breaches of information involving personally identifiable information. These state security breach laws typically have provisions regarding who must comply with the law (businesses, data/information brokers, government entities, etc.); definitions of “personal information” (name combined with SSN, driver’s license or state ID, account numbers, etc.); what constitutes a breach (e.g., unauthorized acquisition or access of data); requirements for notice (e.g., timing or method of notice, who must be notified); and exemptions (e.g., for encrypted information). Those companies that have information on foreign residents must also be aware of regulatory requirements in those jurisdictions.

Putting aside the three states that do not have data breach notification statutes, some states are more active than others in this space.

  • California’s attorney general has established a Privacy Enforcement and Protection Unit within the state’s Department of Justice to aggressively enforce agreed-upon privacy policies and the state’s security breach notification law. California also launched a multi-stakeholder cybersecurity task force to secure the state’s cyber infrastructure.
  • Washington state announced the appointment of its first chief privacy officer.
  • New Jersey’s Office of Homeland Security and Preparedness (OHSP) has a number of initiatives, including its Cyber Security Tips Newsletter and active involvement with the New York/New Jersey Public-Private Sector Cyber Workgroup. Governor Christie also signed a law (No. 562) in January that will require health insurance carriers to encrypt personal information.
  • Virginia Governor McAuliffe recently announced the creation of a state-level organization intended to foster sharing of cybersecurity threats and attacks.
  • Connecticut’s attorney general recently announced the formation of a data security division and two encryption bills have been introduced in the legislature. One version of the bill (SB 1024) introduced in the Senate would require health insurance carriers to encrypt personal data, and another introduced by Governor Malloy (SB 589) would also apply encryption requirements to banking and financial institutions. Both bills are currently being reviewed by the Senate’s Insurance and Real Estate Committee.
  • In New York, the Department of Financial Services is taking a particularly aggressive approach toward ensuring stricter cyber defenses in banking and insurance institutions.

New York Department of Financial Services: A Bellwether for RegulationThe New York Department of Financial Services (NYDFS) is responsible for regulating financial services and products, including those subject to New York State insurance, banking and financial service laws. The Superintendent of Financial Services, Benjamin M. Lawsky, has gained a national profile through his efforts on a number of regulatory issues, and it appears cybersecurity is the agency’s next big initiative.

On December 10, 2014, Superintendent Lawsky issued an industry guidance letter to all NYDFS-regulated banks outlining the specific issues and factors on which those institutions will be examined as part of a new, targeted DFS cybersecurity preparedness assessment. A similar NYDFS report on cybersecurity in the insurance industry was issued for insurance institutions on February 8, 2015. It is safe to say that NYDFS is letting it be known what it believes to be best practices in advance of firmer requirements issued through formal regulations.

In the banking guidance, NYDFS stated it will regularly examine protocols for the detection of cyber breaches and penetration testing; corporate governance related to cybersecurity; defenses against breaches, including multi-factor authentication; the security of third-party vendors; and review of a number of other critical procedures. This will include a very detailed assessment of institutions’ internal security policies and practices.

The insurance report included a survey of 43 insurance entities with approximately $3.2 trillion in assets about their cybersecurity programs, costs and future plans. While it might be expected that the largest insurers would have the most robust and sophisticated cyber defenses, the survey determined that was not the case. Moreover, the survey found that 95 percent of insurers believed they have adequate staffing levels for information security and only 14 percent of CEOs receive monthly briefings on information security. The report called recent security breaches “a wakeup call for insurers to redouble their efforts to strengthen their cyber defenses” and stated that DFS will proceed with “a number of initiatives,” including “regular assessments” and “enhanced regulations” to help ensure security preparedness.

Some specific measures outlined in the banking letter and the insurance report included the following:

  • A more holistic reporting structure within corporate governance
  • Written information security policies and periodic reevaluation
  • Review of risks posed by shared infrastructure
  • More frequent penetration testing (simulating cyberattacks)
  • Use of biometric information and multi-step processes for authentication
  • Robust incident detection and response processes
  • Training of information security professionals
  • Requiring new representations and warranties from third-party vendors
  • Dedicated information security executives
  • More frequent briefing of executives on cyber-preparedness
  • Cybersecurity insurance coverage.

In addition, New York State Insurance Regulation 203,11 N.Y.C.R.R. Part 82, passed in 2014, requires certain insurance entities to file an annual enterprise risk management (ERM) report with NYDFS identifying material risks to their operations. The Department expects these filings to include an assessment of cybersecurity preparedness. These actions are in line with a report subsequently issued by the National Association of Insurance Commissioners  on April 21, 2015, that detailed 12 principles meant to establish base guidelines for the protection of consumer information and insurance company data. This report called upon state insurance regulators to mandate breach notification and establish a set of minimum standards for all entities regardless of size or scope of operations. The report also called for regulatory oversight, including risk-based financial examinations or market conduct examinations related to cybersecurity.

Insurance carriers and banks that are affiliated with broker-dealers or registered investment advisors are also subject to regulatory oversight by the Securities and Exchange Commission (SEC) along with the Financial Industry Regulatory Authority (FINRA). The SEC has issued two regulations, Reg. S-P and Reg. S-ID, that require financial institutions to protect customer information and to adopt written identity theft prevention, respectively. In addition, in February 2015, FINRA issued a 46-page report that contains extensive findings regarding industry-wide cybersecurity practices and detailed recommendations about the steps that broker-dealers should take to protect  their IT infrastructure and customer information.  

Next Steps: Preparing Companies for Cyber Attacks, Litigation and Regulation

Financial and insurance institutions must make cybersecurity a top priority. The stakes are extremely high with customer and employee information at risk, and seemingly no company immune to the increasing sophistication of cybercrime. While each company may have differing resources available to address these issues, all must take the threat of cyber crime and the promise of additional regulatory actions very seriously. The NYDFS report, Reg. S-ID and the FINRA Report outline a number of practices that companies should consider, not simply for the sake of protecting their customers, clients and employees but also to protect their infrastructure and business operations and to protect themselves from potential litigation and get ahead of future regulation. As states and federal regulators continue to become more active in this space, companies should proactively seek to be at the forefront of cybersecurity developments.