Cyber security is clearly one of the highest priorities — if not the top concern — for regulators in 2015. Late last month, the New York Department of Financial Services (DFS) sent more than 160 licensed insurers a New York Insurance Law Section 308 Letter seeking a detailed report regarding their cyber security practices and procedures. The Section 308 Letter — to which there is now less than three weeks to respond — also provides greater insight into the scope of cyber security examinations that DFS plans to schedule after receiving insurer responses to the Section 308 Letter.
This latest DFS action comes in the wake of the February 2015 DFS Report on Cyber Security in the Insurance Sector, which announced a number of measures that DFS plans to implement in the coming months including new regulations to meet heightened standards for cyber security. Additionally, the National Association of Insurance Commissioners’ newly created Cyber Security (EX) Task Force extended the comment period on its “Principles for Effective Cyber Security Insurance Regulatory Guidance” and announced plans to take additional regulatory actions to enhance insurer controls over cyber security.
Section 308 Letter and DFS Report
The Section 308 Letter requires insurers to provide DFS with responses to 16 different questions related to cyber security including, but not limited to, information related to the individual responsible for overseeing information security; copies of information security policies; data classification; multi-factor authentication for any networks, systems, or programs; and copies of the insurers’ policies or procedures related to contracting of third-party service providers. The deadline for submission of the responses is April 27, 2015. Additionally, the Section 308 Letter states that DFS plans to examine insurers’ cyber security practices once responses to the letter are received and a comprehensive risk assessment is conducted as to each responding insurer. Such cyber security examinations will include, but not be limited to, (i) information regarding corporate governance, including organization and reporting structure; (ii) management of cyber security issues; (iii) resources devoted to cyber security; (iv) management of third-party service providers; and (v) incident detection and monitoring.
It is clear that DFS considers cyber security to be one of the most important challenges and regulatory concerns in 2015. The February 2015 DFS Report highlights the cyber security information obtained by DFS in 2013 and 2014, which demonstrated that only 14 percent of chief executive officers receive monthly data regarding information security and that only 30 percent of insurers update their board of directors both quarterly and on an ad-hoc basis. DFS concluded that the cyber breaches at financial institutions should serve as a “wake up call” for insurers to focus on increasing their cyber security programs. The DFS Report also announced a number of measures that DFS intends to implement in the coming months, namely, (i) inclusion of regular, targeted assessments of cyber security preparedness as part of the examination process; (ii) adoption of enhanced regulations requiring institutions to meet heightened standards for cyber security; and (iii) a requirement that insurers include stronger language in third-party administrator contracts relative to cyber security risks.
DFS Superintendent Benjamin Lawsky provided some insight into the substance of regulations that are currently under consideration at a February 25 speech at Columbia Law School. Specifically, Superintendent Lawsky stated that mandating the use of multi-factor authentication may be a key element in any new regulations and that third-party vendors and integration of cyber security into an insurer’s risk management practices are also critical factors in any cyber security plan. Additionally, the questions included in the Section 308 Letter also provide guidance into DFS thinking in terms of new regulations: i.e., cyber security measures and protections as part of any corporate governance plan, regular reporting of cyber security issues to senior management and the board of directors, and information security testing and monitoring.
NAIC Cyber Task Force
The newly created NAIC Cyber Security Task Force has drafted “Principles for Effective Cyber Security Insurance Regulatory Guidance” and has extended the comment period until April 10, 2015. The draft enumerates 18 principles in an effort to address the increasing risk that cyber breaches pose to insurance consumers, including that (i) insurance regulators play a significant role in protecting consumer information; (ii) regulatory guidance must be risk based and threat informed; (iii) effective management of cyber security by third parties is essential for the protection of personal information; and (iv) cyber security risks should be included as a part of an insurer’s Enterprise Risk Report. In addition to finalizing these principles, the NAIC Cyber Security Task Force intends to draft a consumer bill of rights, distribute a survey on cyber security to all state insurance departments, and review all NAIC model laws and regulations to determine whether cyber security needs to be incorporated into any of these models.
What Should Insurers Do Now?
The Section 308 Letter, Superintendent Lawsky’s comments at Columbia Law School, and the actions of the NAIC Cyber Security Task Force make it clear that insurance regulators are focused on cyber security as perhaps the number-one regulatory issue for 2015. Based upon Superintendent Lawsky’s comments, multi-factor authentication and vendor contracts will no doubt be the focus of any new DFS regulations. These insights, along with the February 2015 DFS Report and the Section 308 Letter, provide guidance into the types of issues that insurers should address in the near term relative to cyber security. For example, it is prudent for insurers to (i) incorporate regular reporting to the board of directors and the chief executive officer of cyber security procedures, practices, and any breaches or other incidents; (ii) adopt cyber security practices and procedures as part of their Enterprise Risk Report and Own Risk and Solvency Assessment; (iii) investigate methods of multi-factor authentication and begin testing of such measures; and (iv) review third-party administrator contracts to determine the adequacy of representations, warranties, and indemnification provisions addressing cyber security issues.
It is important to note that New York Insurance Regulation 173 already requires licensed New York insurers to implement a comprehensive written information security program that includes administrative, technical, and physical safeguards for the protection of customer information. Additionally, that regulation mandates that each licensee monitor, evaluate, and adjust, as appropriate, its information security program in light of (i) relevant changes in technology; (ii) the sensitivity of its customer information and internal or external threats to that information; and (iii) the licensee’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to customer information systems. Insurers responding to the Section 308 Letter should be able to leverage the practices and procedures in this plan in formulating a response to the inquiry as well as to use as a base for inclusion of new practices and procedures specifically aimed at cyber security.