On November 9, 2015, the New York Department of Financial Services (NYDFS) issued a letter that describes what insurers can expect from the Department’s ongoing assessment of cybersecurity measures. The letter parallels concerns raised in NYDFS’s February 2015 report, which noted low levels of CEO attention to cybersecurity issues and high levels of information sharing with third-party service providers.
The letter lists eight areas where “potential regulations” would set specific requirements. Given the Department’s concern for the security of consumer information held by large insurance entities, it is unlikely that this letter is merely a general statement of areas the Department is considering regulating. More likely, the eight areas analyzed below preview regulatory provisions in the works.
Cybersecurity Policies and Procedures: The Department outlines an extensive 12-point list of subject areas they expect to be addressed by entities’ cybersecurity policies and procedures. These include:
- Information security
- Data governance and classification
- Access controls and identity management
- Business continuity and disaster recovery planning and resources
- Capacity and performance planning
- Systems operations and availability concerns
- Systems and network security
- Systems and application development and quality assurance
- Physical security and environmental controls
- Customer data privacy
- Vendor and third-party service provider management
- Incident response, including setting clearly defined roles and decision-making authority
Though large insurers already have many of these policies and procedures in place, this list becomes more onerous when read in conjunction with Section 5. Section 5 states that “[e]ach covered entity would be required to maintain and implement written procedures, guidelines, and standards reasonably designed to ensure the security of all applications utilized by the entity.” If this formulation is preserved in the final regulations issued by NYDFS, it would be insufficient for insurers to merely implement these policies and procedures. Rather, they would also have to meet a standard of reasonableness in that implementation. As discussed in Section 5, this may prove challenging.
Third-Party Service Provider Management: The Department goes into detail regarding third-party providers, suggesting that covered entities “maintain policies and procedures to ensure the security of sensitive data or systems that are accessible to, or held by, third party service providers.”
NYDFS proposes a contractual method for carrying out this suggestion — requiring insurers to include minimum preferred terms in third-party agreements. The Department then lays out six contractual terms meant to bolster information sharing including the use of multi-factor authentication, encryption, indemnification, and security auditing.
Multi-Factor Authentication: The Department will likely require covered entities to “implement multi-factor authentication for all access to internal systems and data.” Multi-factor authentication requires that there be two methods of verifying one’s identity before access to sensitive accounts or data is allowed.
Chief Information Security Officers: The Department will also require each covered entity “to designate a qualified employee to serve as its Chief Information Security Officer (CISO).” The CISO would “be required to submit to the Department an annual report, reviewed by the entity’s board, assessing the cybersecurity program and the cybersecurity risks to the entity.”
Application Security: The Department states, “[e]ach covered entity would be required to maintain and implement written procedures, guidelines, and standards reasonably designed to ensure the security of all applications utilized by the entity.” As noted above, if the standard enunciated above is formalized, it will apply a reasonableness standard to all 12 required policy and procedure topics outlined in Section 1.
Cybersecurity threats are constantly evolving. This means that what is “reasonable” in abating them is also fluid. Keeping up with this ever-changing standard will be a difficult task for any entity that holds large quantities of personal information.
Cybersecurity Personnel and Intelligence: The Department also notes that each covered entity “would be required to employ personnel adequate to manage the entity’s cybersecurity risks and perform the core cybersecurity functions of identify, protect, detect, respond and recover.” The costs of employing and training such personnel, or outsourcing these responsibilities to third parties, will be significant for any insurer that aspires to comply with the forthcoming regulations.
Audits: Not only does the Department contemplate annual “penetration testing” (controlled attacks on computer systems that identify security weaknesses) and quarterly “vulnerability assessments” (cataloguing and categorizing vulnerabilities in the system through risk analysis), but it also lays out the specifics of maintaining an “audit trail” system.
Notice of Cybersecurity Incidents: Finally, the Department lays out a standard for government notification in the event of a cybersecurity incident. If implemented, this standard would require covered entities to notify the Department of any “incident that has a reasonable likelihood of materially affecting the normal operation of the entity.”
Notification would be required in the case of “any cybersecurity incident: (1) that triggers certain other notice provisions under New York Law; (2) of which the entity’s board is notified; or (3) that involves the compromise of ‘nonpublic personal health information’ and ‘private information’ ... or any biometric data.”
In sum, the NYDFS letter suggests three major proactive measures for insurers in the coming months:
- Policies and Procedures: Insurers should (i) put policies and procedures in place for all 12 subject areas listed in Section 1, and (ii) confirm that those policies and procedures are “reasonably designed to ensure the security of all applications utilized by the entity.”
- CISO: Insurers should designate an employee as their CISO, and implement systems for his or her annual report to the Department and the entity’s board.
- Update Third-Party Vendor Contracts: Insurers should update their third-party service provider contracts to include the six contractual terms referenced in Section 2.