Following up on its promise to “integrate regular, targeted assessments of cyber security preparedness at insurance companies as part of [its] examination process,” the New York Department of Financial Services (“DFS”) issued a letter on March 26, 2015, to chief executive officers, general counsels and chief information officers of approximately 160 insurance companies informing them that the DFS has expanded its information technology examination procedures to focus more attention on cyber security (a copy of the letter is available here).
In the letter, the DFS emphasizes that cyber security should no longer be viewed solely as a subset of information technology, but rather as an integral aspect of an insurer’s overall risk management strategy. In its February 8, 2015 “Report on Cyber Security in the Insurance Sector,” the DFS had noted that, of the 43 insurers surveyed for the report, only one insurer had provided “in-depth identification and analysis of cyber security risks specific to the particular entity and discussed specific steps and ongoing projects to mitigate those risks” in its enterprise risk report.
The DFS letter provides a list of new questions and topics the DFS intends to incorporate into its existing information technology examination framework, which will include the following topics:
- Corporate governance, including organization and reporting structure for cyber security-related issues;
- Management of cyber security issues, including the interaction between information security and core business functions, written information security policies and procedures, and the periodic reevaluation of such policies and procedures in light of changing risks;
- Resources devoted to information security and overall risk management;
- The risks posed by shared infrastructure;
- Protections against intrusion, including multi-factor or adaptive authentication and server and database configurations;
- Information security testing and monitoring, including penetration testing;
- Incident detection and response processes, including monitoring;
- Training of information security professionals as well as all other personnel;
- Management of third-party service providers;
- Integration of information security into business continuity and disaster recovery policies and procedures; and
- Cyber security insurance coverage and other third-party protections.
The DFS letter also invokes the DFS’s authority under Section 308 of the New York Insurance Law to require that insurers receiving the letter submit a special report by April 27, 2015, providing information about the following topics:
- The insurer’s Chief Information Security Officer and other information security personnel;
- The insurer’s information security policies and procedures designed to address the three goals of confidentiality, integrity and availability;
- How data classification is integrated into the insurer’s information risk management policies and procedures;
- The insurer’s vulnerability management program as applicable to servers, networks, endpoints, mobile devices, network devices, systems and applications;
- The insurer’s patch management program, including how updates, patches and fixes are obtained and disseminated, whether processes are manual or automated, and how often they occur;
- Identity and access management systems for both internal and external users, including all administrative, logical and physical controls, and whether such controls are preventive, detective or corrective in nature;
- The current use of multi-factor authentication for any networks, systems, programs or applications;
- Application development standards, including the use of a secure software development life cycle, and the extent to which security and privacy requirements are assessed and incorporated into the initial phases of the application development process;
- The insurer’s incident response program, including how incidents are reported, escalated and remediated;
- The extent to which information security is incorporated into the insurer’s business continuity and disaster recovery plan, and how that plan is tested;
- Any significant changes to the insurer’s IT portfolio over the last 24 months resulting from mergers, consolidations, acquisitions or the addition of new business lines;
- The insurer’s due diligence process regarding information security practices that is used in vetting, selecting and monitoring third-party service providers;
- Policies and procedures governing relationships with third-party service providers that address information security risks, including setting minimum information security practices or requiring representations and warranties concerning information security;
- Any steps the insurer has taken to adhere to the NIST Framework for Improving Critical Infrastructure Cybersecurity;
- Any protections that the insurer uses to safeguard sensitive data that is sent to, received from, or accessible to third-party service providers, such as encryption or multi-factor authentication; and
- Any protections against loss or damage incurred as a result of an information security failure by a third-party service provider, including any relevant insurance coverage.