The New York Department of Financial Services has released its Report on Cyber Security in the Insurance Sector and announced it will begin conducting targeted cybersecurity assessments of New York-regulated insurance companies.

“Recent cyber security breaches should serve as a stern wake up call for insurers and other financial institutions to strengthen their cyber defenses,” said Benjamin M. Lawsky, Superintendent of Financial Services for the department, when releasing the report on February 8.  Superintendent Lawsky also called for both regulators and private companies to “redouble their efforts” to safeguard consumer data.

In addition to targeted cybersecurity assessments, the department also announced several other initiatives, aimed at New York-regulated insurance companies, that are intended to encourage better cybersecurity preparedness in the insurance industry, including: 

  • enhanced regulations that require insurance companies to meet heightened standards for cybersecurity
  • considering possible improvements to representations and warranties insurers should require from their third-party vendors and
  • exploring the cyberinsurance market and ways to support and encourage its development. 

The department did not elaborate on the scope of any of the planned initiatives, but stated that it expects to proceed with them in the “coming weeks and months.”

The Report comes on the heels of a December 2014 letter issued by Superintendent Lawsky to New York-regulated banks, containing cyber security preparedness guidance and announcing new targeted cybersecurity preparedness assessments for New York-regulated financial institutions. (Read the full letter here.)

According to the February Report, the department surveyed the cybersecurity practices of 43 providers, including health insurance, property and casualty, and life insurance providers, with collective assets just over $3 trillion.  The insurers shared their cybersecurity programs and, where applicable, their enterprise risk management reports, which are required as of 2014 for some insurers under New York State insurance regulations.

The Report contained several positive findings. According to the Report, over 80 percent of insurers surveyed reported that they:

  • have communications plans to respond to and provide notice of a cyber-security breach
  • participate in information-sharing organizations
  • audit third-party service providers who handle personal data
  • employ industry standard security technologies
  • have policies to minimize risks posed by social media
  • have increased their information security budgets over the past three years
  • have corporate governance procedures that include well-rounded participants from all important parts of an organization (e.g., IT, compliance officers, general counsel, CEOs)
  • have a designated information security executive

On the other hand, the department saw definite need for improvement in key areas and urged insurers to implement the following:

  • monthly frequency of reporting information security issues to senior management
  • frequency of reporting information security issues to boards of directors and CEOs to at least quarterly plus ad hoc reports
  • avoid relying primarily on penetration testing to determine whether or not vulnerabilities exist.  According to the department: “Ongoing vulnerability scanning is as − if not more − important than penetration testing to identify known weaknesses and potential exposures.”

 Cyberattacks in the insurance industry

The department found that over half the insurers reported having experienced no cyber security breaches in the three years preceding the survey.  Respondents that had experienced breaches reported causes that ranged from malware, hacking, and email (“phishing”) scams to gaining control of network computers (e.g., botnets).

Forty percent of respondents reported that they believe they should modify existing cybersecurity strategies to address new and emerging risks.  The department concluded that insurers continue to be challenged by the sophistication of cybersecurity threats and the speed at which technology is changing (a common theme in many sectors).

Two additional interesting findings were that the largest insurers did not necessarily have the most robust and sophisticated cyberdefenses, and only 14 percent of respondents’ CEOs receive monthly briefings on information security.

Read the full Report here.