On May 28, 2013, the New York State Department of Financial Services (the "DFS") issued inquiry letters, pursuant to its authority under Section 308 of the New York Insurance Code, to 31 of New York's largest life, health and general liability insurance companies. The "308 letters" request information from these insurers regarding steps they are taking to prevent cyber attacks. Specifically, the DFS is requesting information (to which the insurers are required to respond) regarding:
- Information on any cyber attacks the companies have been subject to in the past three years;
- The cyber security safeguards the companies have put in place;
- The companies' information technology management policies;
- The amount of funds and other resources dedicated to cyber security at each company; and
- The companies' governance and internal control policies relating to cyber security.
As Section 308 does not address the confidentiality of responses, insurers responding to the 308 letters should request that such responses be excepted from FOIL disclosure pursuant to Sections 89(5) and 87(2)(d) of the New York Public Officers Law.
The above information requests are similar to ones the DFS sent earlier this year to the largest banks that it regulates and are related to Governor Cuomo's increased focus on the cyber security of the state's "critical infrastructure and information systems." The focus on the cyber security practices of insurance companies follows the Governor's recent formation of the Cyber Security Advisory Board (the "CSAB"). Benjamin Lawsky, Superintendent of the DFS and Co-chair of the CSAB, has remarked on the importance of making sure that "insurance records are protected from hack attacks that could put New Yorkers at risk" because "cyber security at insurance companies is something that often gets overlooked."
New York's investigation of the cyber security practices of the insurance industry is indicative of how other regulators may act concerning cyber-related best practices of insurance companies.
With that in mind, insurance companies should take a dynamic and proactive approach in establishing internal guidelines and procedures to help prevent cyber attacks in order to ensure that customer personal information is protected, and to ensure that regulators, as well as customers, are confident in this.
Some examples of best practices to consider include:
- Identifying an executive responsible for leading your cyber security program, including establishing documented policies and procedures.
- Maintaining a comprehensive cyber security policy that is based on generally accepted guidelines, such as the ISO 27000 suite of standards.
- Addressing key substantive requirements such as access controls, encryption, incident response and business continuity planning.
- Ensuring that vendors providing services to your company meet or exceed your own cyber security requirements.
- Continuously monitoring performance of your cyber security program on key metrics with regular updates to senior management.
- Consulting legal counsel to ensure that you have satisfied all legal and regulatory requirements.
A press release issued by the DFS regarding the issuance of the 308 letters can be found at http://www.dfs.ny.gov/about/press2013/pr1305281.htm.