Insurance regulators zeroing in on cybersecurity

Recent activity by regulators shows an increased focus on cybersecurity in the insurance industry. The National Association of Insurance Commissioners (NAIC) has published its Principles for Effective Cybersecurity Insurance Regulatory Guidance. In addition, the New York Department of Financial Services (NY DFS) recently released guidance for New York insurance organizations with their Report on Cybersecurity in the Insurance Sector.

Insurance regulators are providing the industry with a heads up that cybersecurity issues will be a focus in the near future. While much has been written about too much regulation, even a cynical observer would say a focus on cybersecurity is needed:

  • The buying public continues to lose confidence in the insurance industry’s ability to protect consumer information given the recent spate of breaches at Anthem and Premera harming everyone involved: insurers, regulators, and consumers themselves.
  • A combined effort encompassing all stakeholders will be needed to address cybersecurity threats.

The lesson for insurers to focus on is that a key stakeholder in your business, state regulators, has provided forewarning of the direction they are contemplating. To the extent an insurer disagrees, the forum is available to disagree. In other areas, the topics covered provide further information for an insurer’s cybersecurity readiness plan.

NAIC’s Principles for Effective Cybersecurity Insurance Regulatory Guidance

The NAIC has laid out guidance covering twelve general areas which are intended for all stakeholders: insurers, insurance producers, state regulators, and federal regulators. The guidance calls for a flexible regulatory approach, one that takes into account the size of the market players and the risks involved. The guidance seeks to have coordination across regulators. Specific insurer actions are called for, such as assessing third party risk and incident response.

Significant highlights

  1. Adoption of a flexible, scalable, practical cybersecurity framework such as the National Institute of Standards (NIST) for guidance
    1. NIST’s standards are one of several frameworks in the marketplace
    2. NIST standards are public domain, have been widely adopted, and are used extensively in other industries 
  2. Periodic discussions of cybersecurity internal audit findings at board of director meetings
  3. Training of employees
  4. Formal crisis response planning, including regulator involvement

NY DFS’ Report on Cybersecurity in the Insurance Sector

The NY DFS’ report on cybersecurity bluntly says, “Recent cybersecurity breaches …should serve as a wakeup call for insurers to redouble their efforts.” This is a clear signal that NY DFS will be taking a hard line on the preparedness of insurers. NY DFS examiners are undertaking a training program and will soon launch examinations focused on cybersecurity.

A foreshadowing of requirements

In several areas, NY DFS seems to provide a specific preview of requirements:

  1. The basics: Five key elements of an information security framework
    1. Policy
    2. Awareness and training
    3. Audits
    4. Risk management – identification of key risks and trends
    5. Incident management
  2. Enterprise risk management (ERM): In 2014, a new regulation was issued requiring some insurance companies to file an annual ERM report. The report notes “…it is expected that future ERM filings will include more frequent explicit references to cybersecurity.”
  3. Information sharing organizations: “…institutions of all sizes can reap benefits from membership in information-sharing organizations, such as the Financial Services – Information Sharing and Analysis Center (FSISAC) at a fairly low cost…members…receive timely notification…designed to help protect critical systems...”
  4. Vendor oversight and management: In several places in the report, NY DFS notes expectations regarding third-party service providers. This includes obtaining contractual provisions such as warranties on the third party’s responsibilities.

Certain areas in the NY DFS report provide softer suggestions. Such suggestions include:

  • On-going vulnerability scanning as an important component of the program, even though frequently penetration testing gets more attention.
  • Usage of multi-factor authentication for systems access.

Common threads in the NAIC and NY DFS documents

The two documents are in harmony on:

  • Both focus on including cybersecurity risks and mitigation approaches in an organization’s enterprise risk management (ERM) plan.
  • Both NY DFS and the NAIC have called on insurers to join an information sharing and analysis organization, e.g., Financial Services Information Sharing and Analysis Center (FSISAC). FSISAC is a not-for-profit organization meant to facilitate sharing of credible threat intelligence.
  • Both are clear that risks presented by third party service providers and vendors need to be addressed.

Next steps

While both the NAIC guidance document and the NY DFS report are relatively early steps in regulators’ cybersecurity program efforts, insurers would benefit from using the documents to assess their own cybersecurity programs and, if needed, address any significant gaps. Insurers should participate by providing feedback and monitoring developments. Learn more about what to do now to prepare for the regulations.

For more information on this topic, or to learn how Baker Tilly’s insurance and risk specialists can help, contact our team.