Cybersecurity and the Insurance industry

Cybersecurity is quickly emerging as a top policy issue for insurance regulators. Speaking at a Dow Jones Risk & Compliance forum last week, on April 21, 2015, New York Superintendent of Financial Services Benjamin Lawsky, said "I think [cybersecurity] will probably be the most important  issue we work on in 2015 and probably 2016."  Mr. Lawsky continued, stating "It is less of an enforcement issue and more of getting all the institutions we regulate to up their game, and there’s a lot they can do."

These statements followed remarks by Robert Easton, the outgoing Executive Deputy Superintendent for Insurance in New York, at a March meeting of the Insurance Federation of New York, Inc. Mr. Easton focused on several gating items, including potentially requiring provisions in contracts between insurers and third-party vendors that would obligate the third party to take the same or similar steps as the insurer to protect company data as well as developing reps and warranties that would enhance data safeguards.  Mr. Easton also noted that cyber liability insurance is currently written in a narrow fashion and that increased appetite for underwriters to provide cyber liability would be a positive step for the insurance marketplace.

The comments from top regulators at the New York Department of Financial Services (NYDFS) set a collaborative tone for working closely with the insurance industry in tackling cybersecurity issues.  While it is a positive sign that NYDFS does not currently view cybersecurity as an "enforcement issue" and appears to want to work together with industry on cybersecurity, insurers who neglect cybersecurity are likely to draw unwanted attention from NYDFS and other regulators.  We will be monitoring comments from NYDFS closely for any change in its current stance or tone.

Background

Increasingly, financial institutions, including insurance companies, risk having sensitive corporate and customer data compromised by hackers.  Static defenses, such as firewalls and anti-virus software, are losing the battle against an evolving threat.  The threats are becoming more targeted, sophisticated and varied in motivation, all of which, according to Superintendent Lawsky, makes cybersecurity an issue that keeps regulators up at night.

In addition to hackers, cybersecurity presents an increasing regulatory risk for insurance companies..  There is a complex and growing web of hundreds of detailed privacy and security requirements for insurance companies at the state, federal, international and self-regulatory levels.  Companies could be exposed to liability from insurance regulators, state attorneys general and the Federal Trade Commission, among other government agencies, as well as litigation from business partners and class action plaintiffs.

Insurance regulators and cybersecurity

In November 2014, the National Association of Insurance Commissioners (NAIC) established the Cybersecurity (EX) Task Force in order to monitor developments in cybersecurity. Two weeks ago, on April 16, 2015, the NAIC released a draft of twelve guiding principles intended to establish insurance regulatory guidance that promote the relationships among regulators and insurers and protect consumer data.  These principles include, among others:

  • Giving insurance regulators a significant role and responsibility regarding protecting consumers from cybersecurity risks, and ensuring breach notice systems are in place;
  • Providing guidance that is flexible, scalable, practical and consistent with industry standards;
  • Providing guidance that is risk-based and that accounts for company resources, with a minimum expectation of security standards; and
  • Establishing requirements for incident response, training, third party vendors and Enterprise Risk Management.

Industry response to these principles has been generally positive, especially with respect to principles regarding scalability and flexibility.

As mentioned above, NYDFS has also been focusing on cybersecurity and has issued several reports and statements indicating that it is a critical issue for the agency.  In February 2015, NYDFS announced a new initiative regarding targeted cybersecurity assessments for insurance companies.  As part of this initiative,  NYDFS plans to integrate regular, targeted assessments of cyber security preparedness at insurance companies as part of the its examination process as well as put forward new regulations requiring institutions to meet heightened standards for cyber security. NYDFS also stated that it will also examine stronger measures related to the representations and warranties insurance companies receive from third-party vendors.

Conclusion

Regardless of how the NYDFS plans to work with insurers in the future, it is clear that the NYDFS, as well as other insurance regulators, are focused on cybersecurity as a critical risk management issue for insurers and other financial institutions. Now is the time for insurers to step up efforts concerning cybersecurity in order to stay ahead of regulatory expectations.  In particular, companies should focus on building incident response and vendor management capabilities, including assessments of potential cybersecurity risks in their relationships with third parties.

Senator Warren's investigation of sales incentives offered by annuity writers

On April 28, Senator Elizabeth Warren, a member of the Senate Banking Committee, launched a public inquiry that could have wide-ranging impacts on the insurance industry.  Senator Warren sent a letter to the CEOs of the 15 largest US annuity writers, requesting information on the incentives they offer to brokers and agents for selling their products.  The letters focused primarily on non-cash compensation and provided examples of international trips, jewelry, motorcycles and iPads provided to top sellers.

Senator Warren expressed her concern that such incentives "present a conflict of interest for agents and financial advisors that could result in these agents providing inadequate advice about annuities to investors and selling products that may not meet the retirement investment needs of their buyers." According to the letters, it "appears that most agents and brokers do not disclose these payments, and that most buyers have no knowledge that their annuity sales agent may be motivated by anything besides their financial interests."

The Senator's press release tied the inquiry to her support for the Department of Labor's effort to adopt a "strong conflict-of-interest rule . . . to protect retirees by requiring advisors to act in their clients' best interests."  The inquiry seems destined to have a broader impact on the insurance industry as well. Senator Warren's announcement came on a day when the Senate Banking Committee held a hearing on the insurance regulatory system and could lead to copycat investigations by state insurance regulators around the country.  At a minimum Senator Warren's actions will put pressure on insurance regulators to defend the state regulatory system from potential criticism that it isn't doing enough to protect annuity investors.

ICYMI…

Noteworthy links from the past two weeks

General

  • The Senate Banking committee heard testimony on international capital standards [Law360]
  • NYDFS and Superintendent Lawsky have begun installing independent monitors at companies even while regulatory investigations are still pending [Forbes]
  • NYDFS Superintendent Lawsky warned against "cowboy" regulators [Capital]
  • The NAIC Cyber Security Task Force released its Guiding Principles [NAIC]
  • The House of Representatives passed a bi-partisan cyber security bill [New York Times]
  • And Superintendent Lawsky again cited cyber security as his top priority [The Wall Street Journal]
  • Former Federal Reserve Chairman Paul Volcker urged a further shakeup of the federal financial regulatory structure [Bloomberg]
  • A study found that muni-bond insurance pays [The Wall Street Journal]

Property & Casualty

  • Ocwen and Assurity settled a force-placed class action generated by regulatory investigations [Law360]
  • A poll cited cheaper insurance as a leading reason consumers are likely to buy fully automated cars [Wired]
  • New York proposed new regulations governing title insurance agent compensation [New York Department of Financial Services]

Life & Health

  • Analysts said MetLife could follow GE's lead and slim down to escape SIFI designation [The Wall Street Journal (subscription required)]
  • California Commissioner Dave Jones asked the legislature to expand his authority over health insurance rates [Sacramento Business Journal]
  • The EEOC issued preliminary rules on employee wellness programs [Business Insurance]
  • The Florida governor announced he would sue the federal government in an effort to resist Medicaid expansion in his state [New York Times]
  • Two groups of senators introduced bills that would "fix" the ACA if the Supreme Court decision ends subsidies on the federal exchange [Health Affairs]
  • Insurers worried about upcoming insurance rulemaking by the Federal Reserve [The Wall Street Journal]
  • The Department of Labor released a new fiduciary duty / conflict of interest proposal for retirement advice [Dentons]

International