On February 8, 2015, the New York Department of Financial Services (DFS) issued its Report on Cyber Security in the Insurance Sector and announced measures to test New York-licensed insurers for the adequacy of their cyber security preparedness. (DFS's press release, which contains a link to the report, is available here.) These materials have taken on heightened significance since disclosures earlier this month by leading health insurer Anthem of a major data breach, a development mentioned in the report as a cautionary item for other carriers.
The report principally summarizes a survey conducted by DFS of 43 insurers on cyber security. Questions asked in the survey concerned, among other things:
- incidences of hacking or other breaches,
- the extent to which these were reported to regulators or law enforcement,
- lines of authority within the insurer's management for reporting on cyber security (e.g., whether the individual with authority for cyber defense reports to the CEO),
- whether security systems are managed internally or are outsourced,
- the types of security technology used,
- protocols for mobile devices and cloud storage,
- information security budgets and
- challenges faced in implementing adequate cyber security policies.
Primarily an empirical rather than a prescriptive study, the DFS materials do not explicitly articulate proposed measures for insurers or "best practices." This distinguishes the report from other recent publications on cyber risk by advisory and professional groups such as the National Association of Corporate Directors' 2014 Cyber-Risk Oversight publication, issued as part of its Director's Handbook Series. Nevertheless, the DFS survey and press release appear to provide some guidance on complying with information security requirements.
First, the survey can be understood in the context of DFS Regulation 173, Standards for Safeguarding Customer Information (codified at 11 NYCRR Part 421, available here), which took effect in 2002 and imposes requirements relating to cyber security. The Regulation requires a New York-licensed insurer to implement a "comprehensive written information security program" for protecting customer information. (The Regulation's definitions of key terms such as "customer," "customer information" and "licensee" are incorporated from Regulation 169, 11 NYCRR Part 420, a related rule on customer privacy.) The program must be designed to "ensure the security and confidentiality" of such information, "protect against any anticipated threats" to information security or integrity and "protect against unauthorized access" that could result in "substantial harm or inconvenience" to customers. The Regulation offers a number of nonexclusive, general examples of measures that comply with these requirements, including
- training key personnel,
- testing the components of information security systems,
- imposing appropriate requirements on service providers and
- ongoing monitoring and evaluation.
Failure to comply with the Regulation is deemed a "determined violation" of New York's statutes prohibiting unfair trade practices by insurers (see NY Ins. Law. § 2402(c), § 2403) and can result in civil penalties.
While the DFS's recent press release and survey do not mention Regulation 173, the items examined in the survey shed some light on what the DFS may consider to be a suitable "comprehensive written information security program." In other words, in navigating the broad requirements of the Regulation, an insurer might be informed by the specific elements of cyber security policies noted favorably by the DFS in the survey. Among these elements are
- the designation of a communications officer for responding to inquiries following a breach, • the use of encryption,
- "penetration" testing (i.e., simulation of hacking or other breaches) and
- appropriate budgeting for cyber security.
While the DFS does not explicitly indicate in the survey that any of these measures provide a safe harbor from Regulation 173 requirements, one can reasonably conclude that insurers taking the most rigorous steps identified and measured in the survey would be, ceteris paribus, more likely to be in compliance with the Regulation's applicable provisions than not.
Another area in which the release sheds light on compliance relates to enterprise risk management (ERM). In 2014, the DFS, following model provisions of the National Association of Insurance Commissioners issued in 2011 and adopted since then by other states, enacted Regulation 203, Enterprise Risk Management And Own Risk And Solvency Assessment (available here), which requires insurers licensed in New York to report annually to the DFS on ERM. "Enterprise risks" are defined generally as any activity, circumstance or event involving the insurer that, if not remedied promptly, is likely to have a material adverse effect on its financial condition or liquidity, including matters that would cause further transaction of business to be hazardous to policyholders, creditors or the public (see also NY Ins. Law § 1501(a)(7)). As a general rule, insurers that are subsidiaries of public companies may, as part of their ERM reporting, use portions of SEC filings that are responsive to the particular categories of risk identified in Regulation 203. Under a predecessor emergency rule to Regulation 203, the first ERM reports were required to be filed by April 30, 2014.
The recent cyber security survey notes that "of the ERM reports filed by surveyed insurers, most do not specifically identify or discuss cyber security as a stand-alone material risk." In some cases, the survey noted, ERM reports mentioned cyber security only elliptically as part of broader discussion on operational risk. The survey concluded that "as awareness surrounding cyber security increases, it is expected that future ERM filings will include more frequent explicit references" to such issues. Insurers (not only in New York but in other states with similar ERM requirements) would be well advised to consider this "expectation" in light of what ERM requirements are intended to measure.
Specifically, what risks does cyber vulnerability pose, and what is the nexus between these risks and "financial condition or liquidity," which is the hinge of enterprise risk as defined above?Understanding how customer data can be breached, or how information systems can be hacked or otherwise compromised, would not seem to translate automatically into effects on financial condition or liquidity. Contingencies that might come into play include the impact that such a breach might have on new or renewal business; the costs associated with any required remediation efforts; exposure to regulatory investigations or enforcement actions; the risk of legal judgments, settlements or fines; effect on operations (for instance, inability to pay claims or send premium notices because of a cyber attack) or other potential consequences. The survey provides no guidance on distinguishing among these various exposures for reporting purposes or identifying the specific aspects of cyber security that inform enterprise risk. Insurers will need to consider the numerous variables involved in making these judgments, both in identifying the risks themselves and in distilling such risks into ERM reporting. Moreover, insurers that purport to satisfy their ERM reporting requirements by relying on pertinent portions of SEC filings should consider carefully whether generalized risk factor or similar cautionary language in a listed company's 10-K sufficiently addresses the items suggested in the DFS report.
It is likely that as the DFS begins to conduct its "targeted assessments" of insurer cyber security efforts, more light will be shed on what specific aspects of cyber security are meaningful to the DFS, both from a Regulation 173 (safeguarding customer data) standpoint and from a Regulation 203 (ERM) standpoint.