A question we often get as financial regulators is: ‘What keeps you up at night?’ The answer is ‘a lot of things.’ But right at the top of the list is the cybersecurity at the financial institutions we regulate.”Benjamin Lawsky, prepared remarks from speech at Columbia Law School on February 25, 2015.1
Insurance regulators are gearing up to impose enhanced scrutiny on information security practices to boost protection of sensitive personal information.
Even before the widely publicized data breach at Anthem, Inc., insurance regulators had begun to focus significant attention on the data security of financial services companies, and of insurance companies in particular. New York State Department of Financial Services (NYSDFS) Superintendent Benjamin Lawsky gave voice to this enhanced scrutiny in February 2015, when he warned that “[r]ecent cyber security breaches at financial institutions and other major corporations should serve as a wake up call for insurers to redouble their efforts to strengthen cyber defenses—particularly given the level of sensitive consumer information that insurers are entrusted with handling.”2
We highlight recent cybersecurity developments in the insurance sector below, and encourage insurance companies (like all financial services companies) to review and refine their information security practices and corporate governance protocols related to cybersecurity to meet the rising regulatory and compliance demands in the insurance and financial services sector.
Insurance Information Particularly Valuable. Insurance companies present a particularly appealing target to hackers in large measure because of the concentration of unique and sensitive (and potentially valuable) personal information that they maintain: Social Security numbers, financial account information, addresses and health information. Last year, the Federal Bureau of Investigation warned that hackers were targeting protected health information, and earlier this year, the Director of the Department of Health and Human Services Office of Civil Rights said that health care data breaches were on the rise.3 As highlighted by last summer’s cyber attack on a major New York bank, financial institutions are facing new and increasingly sophisticated threats. While credit card numbers commonly trade for only $10 on the black market, insurance data typically starts at $100, depending on the type of coverage and the potential for fraudulent billing.4 Ironically, some insurance companies may be uniquely familiar with the costs of cyber attacks to the extent they write policies for cybersecurity coverage. Cybersecurity insurance is still a relatively new product, but the market is expected to grow dramatically in the coming years—spending on cybersecurity insurance nearly doubled in 2014 from 2013, to about $2 billion.
Increasing Regulatory Scrutiny. The mounting threat of data breaches in the insurance industry has resulted in a marked increase in regulatory scrutiny. The National Association of Insurance Commissioners (NAIC) has identified cybersecurity in the insurance sector as a key initiative for 2015 and established a Cybersecurity Task Force.5 The stated mission of the NAIC Task Force is to:
- Monitor developments in the area of cybersecurity;
- Advise, report and make recommendations to the Executive (EX) Committee on cybersecurity issues;
- Coordinate activities with NAIC standing committees and their task forces and working groups regarding cybersecurity issues;
- Represent the NAIC and communicate with other entities/groups, including the sharing of information as may be appropriate, on cybersecurity issues; and
- Perform such other tasks as may be assigned by the Executive (EX) Committee relating to the area of cybersecurity.
Insurance companies should also be aware that the SEC and Financial Industry Regulatory Authority (FINRA) recently completed reviews of broker-dealers, and investment advisory firms’ cybersecurity practices.6 These reviews focused on cybersecurity governance, protecting networks that store sensitive information, managing vendor risks and detecting unauthorized activities. Insurance companies should expect similar attention from insurance regulators.
The recent Anthem attack highlights the vulnerability of insurers to data breaches and the concomitant increase in regulatory scrutiny by opportunistic plaintiffs’ lawyers. The breach is believed to have exposed the personal information of 80 million customers and employees. Less than 24 hours after the announcement of the breach, Anthem was the subject of a putative class action lawsuit alleging that it had failed to implement reasonable security measures. And within one week of Anthem’s announcement, attorneys general from 10 states wrote to Anthem “to express [their] alarm at the failure of the company to communicate with affected individuals and, in particular, to provide them details about the protections the company will make available and how to access those protections.”7
Regular Targeted Cybersecurity Assessments. In 2013 and 2014, the NYSDFS examined the state of security protections in a survey of 43 insurance companies.8 The report, issued in February 2015, indicated that the Department planned to integrate “regular, targeted assessments” of cybersecurity preparedness at insurance companies as part of its regular examination process, enhance regulations requiring institutions to meet heightened cybersecurity standards and explore stronger measures related to representations and warranties that insurance companies receive from third-party vendors.
The report found that nearly all insurers reported having an information security framework in place that includes: (1) written information security programs; (2) security awareness and education and training for employees; (3) information security audits; (4) risk management of cyber risk, including the identification of key risks and trends; and (5) incident monitoring and reporting. To further strengthen security, NYSDFS recommended that financial companies participate in the Financial Services – Information Sharing and Analysis Center because “institutions of all sizes can reap benefits” at a low cost.
In December, 2014, the NYSDFS announced that it planned to integrate regular assessment of cybersecurity preparedness into its review of NYSDFS-regulated banks.9 These banks will be examined on, among other things, (1) their protocols for the detection of cyber breaches and penetration testing; (2) corporate governance related to cyber security; (3) their defenses against breaches, including multi-factor authentication; and (4) the security of their third-party vendors. This announcement likely serves as a preview of the types of issues that NYSDFS-regulated insurers can expect the Department to focus on in its examination of insurers. It would be reasonable for insurance companies to consider these same issues in reviewing and refining their own cybersecurity preparedness. Additionally, insurance companies should enhance their enterprise risk reporting to include an assessment of cybersecurity preparedness.
Enhanced Focus on Third-Party Vendor Security. NYSDFS has also indicated that increasing scrutiny would be placed on third-party vendors and that it would focus on improving the legal guarantees of “representations and warranties” that banks and insurance companies receive from vendors regarding information security protections.10
Room for Improvement. Highlighting potential room for improvement, NYSDFS found that over 40 percent of respondents had conducted only a single “penetration test” each year to simulate a cyber attack. Thirty-five percent had experienced between one and five breaches in the preceding three years, while five percent experienced more than 10 successful attacks. While 95 percent of respondents stated they believed they had adequate staffing for cybersecurity, only 14 percent provided monthly cybersecurity briefings to their chief executive officers. Less than 50 percent use biometric tools such as fingerprint or retinal scanning. Mr. Lawsky has said that the financial industry should be focused on ways to improve secure access to customer accounts. “The password system should have been dead and buried many years ago,” he said, “and it is time that we bury it now.”
Insurance Companies Should Be Prepared to Address.
- Corporate governance, including organization and board reporting structure for cybersecurity related issues;
- Management of cybersecurity issues, including the interaction between information security and core business functions, written information security policies and procedures and the periodic reevaluation of such policies and procedures in light of changing risks;
- Resources devoted to information security and overall risk management;
- The risks posed by shared infrastructure;
- Protections against intrusion including multi-factor or adaptive authentication and server and database configurations;
- Information security testing and monitoring, including penetration testing;
- Incident detection and response processes, including monitoring;
- Training of information security professionals as well as all other personnel;
- Management and cyber preparedness vetting of third-party service providers, including third-party administrators;
- Integration of information security into business continuity and disaster recovery policies and procedures; and
- Cybersecurity insurance coverage and other third-party protections.
Insurance regulators have already begun to focus on these and other factors in evaluating insurance companies’ cybersecurity preparedness, and it is likely that, as with the review of banks, the process will become increasingly formalized and rigorous. It is therefore imperative that insurance companies focus now to review the state of their cybersecurity programs.