On March 26, 2015, the New York State Department of Financial Services (NYDFS) announced that it is broadening the scope of questions and topics in its current information technology (IT) examination framework. In addition, the NYDFS requires insurers to provide a response to 16 questions about their overall cyber security posture via a “secure portal,” by April 27, 2015. This is part of the NYDFS’s increased focus on cyber security.
It should come as no surprise that regulators are increasing their scrutiny of insurers’ cyber security, especially in the wake of the reported Anthem Inc. breach. Yet organizations must consider carefully how they respond to inquiries from regulators. As the past few years have shown, no system is entirely secure, and answering questions about cyber security in too much detail could provide a road map for malicious actors to hack into an organization. While NYDFS has demanded compliance within a short time frame, organizations may want assurances that appropriate security measures are in place to prevent hackers from gaining access to the sensitive information of the organizations surveyed.
Background on the Initiative
The NYDFS is responsible for regulating financial services and products, including those subject to New York State insurance, banking and financial service laws. Over the past year, the NYDFS has continued its efforts to be seen as a leader in the cyber security space, issuing guidance to the financial and insurance industries on cyber security. Among its many recent initiatives is issuance of an industry guidance letter to all NYDFS-regulated banks outlining specific issues and factors on which those institutions will be examined as part of a new, targeted DFS cyber security preparedness assessment. A similar NYDFS report on cyber security in the insurance industry was issued for insurance institutions on February 8, 2015.
The insurance report included a survey of 43 insurance entities with approximately $3.2 trillion in assets about their cyber security programs, costs and future plans. While it might be expected that the largest insurers would have the most robust and sophisticated cyber defenses, the survey found that was not the case. It was reported that 95 percent of insurers believe they have adequate staffing levels for information security, but only 14 percent of CEOs receive monthly briefings on information security. The report called recent security breaches “a wake-up call for insurers to redouble their efforts to strengthen their cyber defenses” and stated that NYDFS will proceed with “a number of initiatives,” including “regular assessments” and “enhanced regulations” to ensure security preparedness.
Details of the Initiative
The March 26, 2015, announcement continues the Department’s aggressive approach to ensuring stricter cyber defenses in banking and insurance institutions. Specifically, this announcement broadens the Department’s approach to information technology examinations and will include, among other topics, organizations’ protections against intrusion, incident detection and response processes, and information security testing and monitoring, including penetration testing. The announcement also requires institutions to provide a detailed report in response to 16 questions via the NYDFS’s “secure portal” by April 27, 2015.
These questions/requests include, but are not limited to:
- Provide a copy of all information security policies pertaining to the confidentiality, integrity, and availability of the systems and information
- Describe data classification
- Describe the institution’s vulnerability management program
- Identify and describe the use of multi-factor authentication for any networks, systems, programs or applications
- Describe all application development standards
- Provide a copy of the institution’s incident response program
- Provide a copy of any policies and procedures governing relationships with third-party service providers that address information security risks.
While the NYDFS’s efforts can be applauded as the next step in ensuring organizations are taking the appropriate steps to protect their infrastructure and sensitive information contained therein, organizations might regard the list of information and documents requested with a degree of concern. This information can be considered extremely sensitive, and many companies, while they may allow their business partners to review this information, will not provide them with copies of some of these documents because of security concerns. For instance, penetration testing is designed to provide the company with a comprehensive analysis of its overall security posture. The penetration test is intended to provide the company with a more in-depth analysis of vulnerabilities that surface tests may not identify.
A Treasure Trove for Hackers?
Ultimately, the information requested by the NYDFS could outline what organizations are doing well and what they are not doing well to protect their data and their systems. If hackers were to obtain this information, there would be no need to conduct months of reconnaissance against victim organizations. Instead, the hackers would have everything they need to launch a targeted attack against the organizations.
Ironically, the NYDFS intends to ask questions about the organizations’ management of third-party service providers, but we have yet to learn whether the NYDFS intends to provide any assurances about its own internal protections for this information. While the NYDFS would not technically be considered a third-party service provider, it is a third party that will have access to organizations’ sensitive and confidential information. We are unaware of any guidelines or assurances about steps the NYDFS is taking to safeguard this information or whether the NYDFS is claiming to be exempt from this requirement.
While many recent discussions have focused on the need to share information to effectively defend against cyber attacks, organizations should be careful about providing sensitive, confidential information about internal systems to other parties without first obtaining assurances that the data will be safeguarded appropriately. Thus, while the NYDFS’s efforts to provide organizations with clearer guidance on what may be considered as sufficient cyber security measures should be applauded, there is concern that the initiative is moving too quickly without ensuring the information provided will be appropriately secured. It remains to be seen whether the NYDFS will begin a dialogue with the organizations it oversees to provide assurances that it is taking all necessary steps to protect the sensitive information provided by those organizations.
In the interim, those organizations providing the sensitive information may wish to take every possible precaution to ensure their responses are safeguarded from intrusion and have plans in place to the extent possible in the event that the information is compromised. In addition, as the NYDFS has not reached out to the organizations providing the sensitive data, the providers of the information may wish to contact NYDFS to confirm that such information will be protected at least to the standards they use to safeguard their own data.