The New York Department of Financial Services (DFS) has released a report detailing the results of their recent survey of insurance industry cyber security protections. The report is accompanied by an announcement that DFS will enhance its oversight of cyber security, including the specific steps of 1) "integrat[ing] regular, targeted assessments of cyber security preparedness at insurance companies" as part of their examination process, 2) issuing regulations requiring insurers to meet "heightened standards for cyber security" and 3) examining "stronger measures" on third party vendor representations and warranties.
According to DFS superintendent Ben Lawsky, "recent cyber security breaches should serve as a stern wake up call for insurers and other financial institutions to strengthen their cyber defenses" and the DFS has clearly indicated that it intends to ensure that insurance companies respond accordingly. What is not clear are details of the standards and controls that insurers are expected to implement and whether they are consistent with or exceed current industry standards.
While details on insurance assessments have not been released, insurers can look to December 2014 guidance issued to banks that lists several topics DFS will focus on in assessing banks, including protocols for the detection of cyber breaches and penetration testing; corporate governance related to cyber security; their defenses against breaches, including multi-factor authentication; and the security of their third-party vendors.
Cyber risk issues continue to ascend the agendas of regulators as more high-profile breaches occur. New York insurers should review their cyber security programs in anticipation of heightened regulations and scrutiny by DFS. The review should include a particular focus on areas DFS has highlighted, including incident response and vendor management.
The DFS announcement can be found here, and the report can be found here.