Regulators in California and New York are concerned about the increased risk and sophistication of cyber attacks on the security of personal information collected by regulated entities. This month, both the California Department of Insurance and the New York Department of Financial Services have announced new efforts to assess and examine the ways in which regulated entities are managing cybersecurity risk.
On May 16, 2014, the California Department of Insurance issued a Notice to all admitted insurers, insurance producers and other interested parties requesting that it be provided with copies of any data breach notifications or other information submitted to the Attorney General's Office in accordance with California's data breach notification law. The stated purpose of the Notice was to inform insurers and producers of California's improper personal information disclosure and security breach notification requirements. Citing the Insurance Information and Privacy Protection Act (IIPPA), the Notice reminds carriers, producers and insurance support organizations that the IIPPA restricts the manner in which they may collect, use and disclose a consumer's personal or privileged information and that the insurance Commissioner is vested with the power to examine and investigate the affairs of persons or entities engaged in the business of insurance to verify compliance with IIPPA's provisions. The Notice also cites California's data breach notification law, California Civil Code section 1798.82, which requires entities that own or license computerized data that includes personal information to disclose any breach of the security of the data to impacted California residents. When more than 500 residents are impacted, the entity must also submit a sample copy of the breach notification to the Attorney General of California. The Notice requested that all insurers, insurance producers and insurance support organizations provide the California Department with copies of any notices or information submitted to the Attorney General's Office in accordance with Civil Code 1798.82(f).
On May 6, 2014, New York Governor Andrew Cuomo announced the release of a cybersecurity report discussing the growing risk and sophistication of cyber attacks. Governor Cuomo directed the Department of Financial Services (DFS) to conduct cybersecurity preparedness assessments of the banks which it regulates. The cybersecurity report, the product of a year-long survey conducted by DFS of 154 banks, found that most banks had experienced intrusions or attempted intrusions into their IT systems over the past three years and the vast majority are planning to ramp up cybersecurity spending in coming years. As part of its regular examination process, DFS plans to implement a new targeted assessment of each bank's cybersecurity preparedness. The revised examination procedures will include additional questions in the areas of IT management and governance, incident response and event management, access controls, network security, vendor management and disaster recovery.
DFS launched asimilar effort to survey the cybersecurity efforts of the insurers it regulates in May of last year. The newly announced bank examination procedures are sure to provide clues as to where New York regulators are headed on new insurance examination procedures that will likely be announced later this year.