On February 9, the New York Department of Financial Services (DFS) released aReport on Cyber Security in the Insurance Sector (Report), summarizing the results of a survey completed by 43 insurers about their cybersecurity programs, costs and future plans. The Report also announced a series of measures that DFS will take in the future to help strengthen cybersecurity in the insurance sector. These measures include: (i) targeted assessments of “cybersecurity preparedness” at insurance companies as part of the DFS examination process; (ii) proposing enhanced regulations requiring insurers to meet heightened standards for cybersecurity, including possible use of multi-factor authentication; and (iii) exploring measures related to the representations and warranties insurers receive from third-party vendors that handle customer data, as well as other measures.

“Recent cyber security breaches should serve as a stern wake-up call for insurers and other financial institutions to strengthen their cyber defenses,” said New York DFS Superintendent Benjamin Lawsky. “Those companies are entrusted with a virtual treasure trove of sensitive customer information that is an inviting target for hackers.  Regulators and private sector companies must both redouble their efforts and move aggressively to help safeguard this consumer data.” The Report was issued in the wake of a recent massive data breach at health insurer Anthem, Inc., which exposed personal information on more than four million New Yorkers.  

The survey of 43 insurance entities (21 health, 12 property/casualty, and 10 life insurers) conducted in 2013 and 2014 found that 58% of insurers reported that they had experienced no cybersecurity breaches in the prior three years, while 5% had experienced more than 10 breaches. The insurers also reported experiencing “relatively few negative effects” as a result of their breaches or hacking attempts, with only one insurer reporting a significant loss of between $6 million and $10 million as a result of the breaches. In the survey, 95% thought their security departments were adequately staffed, 84% reported participating in information-sharing organizations and 84% reported conducting audits of third-party service providers that handle customer data. In this regard, DFS noted its concern that even a small number of insurers do not conduct audits of third parties or participate in information-sharing organizations. DFS also noted its belief that institutions of all sizes “can reap benefits from membership in information-sharing organizations, such as the Financial Services – Information Sharing and Analysis Center (FS-ISAC).”

Nearly all insurers reported having an information security framework in place, while 98% of insurers reported having a designated communications officer for responding to breaches. And while all insurers surveyed reported engaging in penetration testing of their systems, DFS noted that the results of such testing can become quickly outdated as new threats emerge. Rather, DFS opined that ongoing vulnerability scanning is as, if not more, important than penetration testing to identify known weaknesses and potential exposures.

Regarding corporate governance, a majority of insurers reported the involvement of a number of different departments in cybersecurity governance, including IT, compliance and legal. But only 14% of the insurers reported that their chief executive officers are updated frequently on information security issues, while 9% reported that their boards are updated on an annual or an ad hoc basis.

The Report also noted that only one Enterprise Risk Management (ERM) report of the surveyed insurers provided an in-depth identification and analysis of cybersecurity risks and discussed specific steps and ongoing projects to mitigate the risks. As awareness of cybersecurity risks increases, DFS expects that future ERM filings will include more frequent explicit references to cybersecurity.

Finally, the Report noted that most institutions “will continue to be challenged by the sophistication of cyber security threats and the speed at which technology is changing.” DFS will continue to engage in discussions with the industry and cybersecurity experts, revising its cybersecurity examination processes to include extensive training for its IT examiners, so that they are prepared to identify vulnerabilities and work with institutions on implementing appropriate solutions. The Report concluded that DFS “believes that such cooperation and dialogue is essential to developing smart and effective cyber security programs across New York’s financial services industry.”