New York Department of Financial Services Seeks Stronger Cyber Hacking Defenses From Insurers

Posted by

On February 4, 2015, Anthem Inc. disclosed that as many as 80 million customers’ sensitive personal information may have been compromised by criminal hackers. As a timely coincidence, but prompted in part by the breach, on February 8, the New York Department of Financial Services (DFS) issued its Report on Cyber Security in the Insurance Sector (DFS Report). DFS also announced its intention to take measures to ensure that insurers have strong cyber hacking defenses in place.

The measures to be taken by DFS will include: (1) examining insurance companies’ cyber security preparedness using “regular, targeted assessments” which, according to comments by senior DFS officials, will, in sum and substance, be incorporated “as part of the periodic financial examinations of all domestic insurers”; and (2) promulgating regulations that require insurers to meet a heightened level of cyber security. According to the DFS Report, DFS will be analyzing the representations and warranties of third-party vendors retained by insurers to secure their databases. In addition to the foregoing, DFS is considering implementing “multi factor authentication” in lieu of the more simple username-password authentication process currently employed. Recently, DFS took similar measures with respect to banking institutions’ IT procedures after a major hacking incident involving customers of J.P. Morgan Chase.

Some have expressed surprise that it has taken DFS this long to impose more stringent cyber security protection measures, given that an overwhelming majority of people are required, or at least strongly encouraged, to store sensitive personal information with their insurers. Such information includes birth dates, social security numbers, medical records and, in many cases, credit card information. President Obama’s 2015 National Security Strategy was released on February 6, 2015, and it is clear that the Administration considers cyber-attacks to be a legitimate threat requiring comprehensive defenses and protections. The capabilities of the modern hacker are well-documented and, as a result, blame is shifting from the hackers themselves to the institutions whose databases are vulnerable. Anthem customers have begun filing civil lawsuits against the healthcare giant in light of the recent breach.

As of January 1, 2014, New York Insurance Regulation 203, 11 N.Y.C.R.R. Part 82, requires most licensed insurance companies to file an annual enterprise risk management (ERM) report with DFS identifying “material risks” to their ongoing operations. According to the DFS Report, of the ERM reports filed by surveyed insurers, “most did not specifically identify or discuss cyber security as a stand-alone material risk…Only one ERM report … provided in-depth identification and analysis of cyber security risks specific to the particular entity and discussed specific steps and ongoing projects to mitigate those risks.”

In light of the foregoing, the February 2015 DFS announcement is a welcome development in the fight against cyber security breaches. Despite the flurry of breaches over the past several years, the trend towards a completely digital world continues. As such, all implicated parties, including state and federal regulators, must ensure they are doing all they can to protect vulnerable consumers.