(Image credit: Adobe Stock.)
New York recently made headlines in the cybersecurity arena when the state’s Department of Financial Services (DFS) announced proposed cybersecurity regulations, which Governor Cuomo hailed as a first-in-the-nation effort to protect consumers and ensure the “safety and soundness” of New York’s financial services and insurance sectors. The proposed regulations, formally the Cybersecurity Requirements for Financial Services Companies, are important because they would impose a mandatory minimum cybersecurity standard for all insurance companies regulated by DFS.
Beyond that, the DFS Regulations are part of a national trend within the insurance industry to adapt to continually evolving cyber-threats, balancing the need for cybersecurity protections with the flexibility required to stay abreast of technological developments. Ultimately, the DFS Regulations reflect the continued evolution of what is considered reasonable cybersecurity, and as part of that, insurance firms should be prepared to contend with increasing regulatory scrutiny of their cybersecurity programs.
A New Mandatory Minimum Regulatory Standard
Insurance companies are entrusted with handling sensitive consumer information in digital format. Within the industry, however, there looks to be a gap between clear acknowledgement of the importance of managing cyber risk and the most effective way to do so.
In a survey of insurance companies that DFS conducted prior to proposing the new regulations, for example, nearly all the insurers reported having an information security framework in place. Only half, however, believed that their company’s current cybersecurity strategy was adequate to address new and emerging risks, while 40 percent reported a need to modify their frameworks to address evolving threats.
The DFS Regulations should help with this. While a detailed compliance overview is not presented here, the scope of the DFS Regulations is critical insofar as it sets out the five key elements of a cybersecurity program:
(1) a written information security policy;
(2) security awareness and education and training for employees;
(3) information security audits;
(4) risk management of cyber risk, including the identification of key risks and trends; and
(5) incident monitoring and reporting.
While the DFS found that the majority of insurers have cybersecurity frameworks that encompass these five elements, the DFS Regulations aim to harmonize the standards across regulated industries. In addition, the DFS Regulations envision regular assessments of cybersecurity preparedness at insurers as part of the DFS examination process. The regulations were officially published September 28, 2016, and are subject to a 45-day public comment period.
Insurance Industry Cybersecurity Regulation at a National Level
The DFS Regulations echo recent national efforts in the insurance industry to address cybersecurity.
The National Association of Insurance Commissioners (NAIC), the U.S. standard-setting and support organization governed by the chief state insurance regulators, has devised initiatives that aim to harmonize cybersecurity regulation nationally. These include, for example, the 2015 adoption of the NAIC’s Principles for Effective Cybersecurity Insurance Regulatory Guidance, which lay out guidelines and best practices for industry and regulators (and note the key role for state regulators in providing effective cybersecurity guidance). More recently, in March 2016, NAIC’s Cybersecurity Task Force introduced a new cybersecurity Model Law, which looks to establish exclusive standards for data security and investigation applicable to all insurance providers.
Similarly, the National Institute of Standards and Technology’s (NIST) 2014 Cybersecurity Framework, a collaboration of the private sector and regulators, established a voluntary risk-based set of standards to manage cybersecurity risk. The NIST’s effort framed the continuing discussion of cybersecurity risk management with respect to its view of the core cybersecurity functions: to identify, protect, detect, respond to and recover from cyber-events.
Voluntary information-sharing organizations are also becoming the norm in regulated industries, and since cyber-attacks are often replicated across an industry, participating in such organizations can provide advanced notice of threats facing peer firms. To that end, the Financial Services Information Sharing and Analysis Center provides members with global information intelligence sharing and analysis to help protect critical systems from cybersecurity threats.
DFS Regulations and Future Challenges
Looking to the future, insurance companies have identified two primary challenges to developing and maintaining a robust cybersecurity program: the increasing sophistication of cybersecurity threats and ever-emerging technologies. Certainly, technology is making it easier for cybercriminals to wreak havoc across any industry that stores or has access to sensitive data. Indeed, technologies like cloud computing, mobile devices and social media, along with the internet of things, are continually changing the playing field, presenting business opportunities as well as cyber-risks. In our view, the DFS Regulations can help insurance companies meet the challenges of evolving technology by establishing a minimum standard that is robust and applicable across the board while remaining flexible enough to address future cybersecurity requirements.