The State of New York has launched an investigation into the policies and procedures established by New York’s largest insurance companies to secure their electronic systems from unauthorized access. Through the use of so-called “308 Letters” issued by the New York Department of Financial Services (Department), these insurers must provide specific infomation, including:
- Information regarding any cyber-attacks in the past three years
- Cybersecurity safeguards that the insurer has in place
- Information technology management policies
- Amount of funds and other resources expended on cybersecurity
- Governance and internal controls related to cybersecurity.
In responding to a 308 Letter, the requirements of New York Insurance Regulation 173 should be considered. Regulation 173, promulgated in 2002, provides that insurers must implement a comprehensive written information security program (WISP), which must be adjusted as changes in technology and other specified circumstances warrant. Insurers responding to a 308 Letter may benefit from reviewing any materials developed in 2002 in response to Regulation 173.
In preparing responses to a 308 Letter, insurers and regulators need to consider the sensitivity of the information being sought and how this information could be misused by hackers. It will be important to satisfy regulators’ concerns by responding accurately and truthfully, while remaining mindful that detailed descriptions of cybersecurity measures, policies and procedures could provide would-be hackers with a road map, enhancing their ability to obtain the sensitive data that the insurer is protecting. Resolving these issues will be facilitated by thoughtful discussion between responding insurers and regulators, aided as needed by counsel and security consultants.