The New York Department of Financial Services (“DFS”) sent “308 Letters” to the largest insurers it regulates yesterday, requiring information on their cyber security, according to a press release issued by New York Governor Andrew Cuomo. The information to be provided includes: (a) information on any cyber attacks the company has been subject to in the past three years; (b) the cyber security safeguards the company has in place; (c) the company’s information technology management policies; (d) the amount of funds and other resources dedicated to cyber security at the company; and (e) the company’s governance and internal control policies related to cyber security.

Earlier this month, Governor Cuomo announced the members of the newly formed Cyber Security Advisory Board, which is charged with “advising the administration on developments in cyber security and making recommendations for protecting the state’s critical infrastructure and information systems.” DFS Superintendent Benjamin Lawsky, who co-chairs the Cyber Security Advisory Board, said of the inquiry into insurer cyber security: “Cyber security at insurance companies is something that often gets overlooked, but it’s far too important to get caught in a blind spot. We need to make sure that those insurance records are protected from hack attacks that could put New Yorkers at risk.” Governor Cuomo stated: “The extraordinarily sensitive health, personal, and financial information that New Yorkers entrust to their insurance companies is a virtual treasure trove for hackers.”

For more information on privacy and data security, please see our White Paper, “Everyone's Nightmare: Privacy and Data Breach Risks,” or contact the authors of this blog.