On February 8, 2015, the New York State Department of Financial Services (“DFS”) issued a Report on Cyber Security in the Insurance Sector (the “Report”) and disclosed a series of steps it will be taking to bolster cybersecurity practices, including regular, targeted assessments of cybersecurity preparedness at insurance companies.
The Report discloses the results of a 2013-2014 survey of 43 health, property and life insurance entities with combined assets of approximately $3.2 trillion. Survey participants were asked to disclose their information security framework; frequency and results of penetration testing; cyber security budgets and costs; corporate governance; the frequency, nature, cost of, and response to cyber security breaches; and future plans on cybersecurity.
The Report found that although nearly all insurers believe that they have adequate staffing levels and sophisticated cyber security practices, additional measures can improve the protection of personally identifiable information and protected health information that is increasingly being targeted by cyber criminals. DFS therefore intends to provide enhanced regulations with heightened standards for cybersecurity, conduct targeted assessments of insurer practices, as well as review the representations and warranties insurance companies receive from third-party vendors.
DFS’s activities in the insurance industry track a similar series of actions it has recently taken in the banking sector. DFS conducted a survey of regulated banking institutions in 2013 and issued a Report on Cyber Security in the Banking Sector in May 2014. In December 2014, DFS issued a New Cyber Security Examination Process for banks that identified the specific issues and factors it would be examining in the course of targeted, cybersecurity preparedness assessments in the banking sector. The factors include a review of protocols for detecting cyber breaches, penetration testing, corporate governance, access controls and the security practices of third-party vendors.