As data breaches and their consequences have become increasingly common and gained public attention, cyber security has become a significant issue for both the insurance industry and insurance regulators. Although the recent coverage of the massive cyber security breach at Anthem, Inc. (“Anthem”), which affected as many as 80 million of its customers whose account information was stolen, put a particular spotlight on cyber security issues in the insurance sector, cyber security has been a growing concern for insurance regulators for the past few years, prompting NAIC discussion that led to the formation of a Cybersecurity (EX) Task Force (“CTF”) in November 2014. The CTF, established to help coordinate insurance issues related to cyber security, is charged with monitoring developments in the cyber security area and with making recommendations to the NAIC regarding: (i) the protection of information housed in insurance departments and the NAIC; (ii) the protection of consumer information collected by insurers; and (iii) collecting information on cyber-liability policies being issued in the marketplace.
The New York Department of Financial Services (“DFS”) has also taken a leading role in addressing the cyber security issue with a promise to beef up its examination of insurers. This focus by DFS on the insurance industry is a natural outgrowth of its December 2014 bulletin to all New York-chartered or licensed banking institutions regarding its new cyber security examination process. Fearing an “Armageddon-type cyber event” in the financial sector in the near future, the DFS Superintendent Benjamin Lawsky, speaking at Columbia Law School in February, indicated that cyber security will likely be the most important issue that DFS will face in 2015. In the wake of the Anthem breach, DFS released a report entitled “Report on Cyber Security in the Insurance Sector,” on February 8, 2015, and announced that it plans to “integrate regular, targeted assessments of cyber security preparedness at insurance companies as part of [its] examination process.”
The report summarizes the results of a survey DFS conducted during 2013 and 2014 “to obtain a horizontal perspective of the insurance industry’s efforts to prevent cyber crime, protect consumers and clients in the event of a breach, and ensure the safety and soundness of their organizations.” In the report, DFS warned the insurance industry that “[r]ecent cyber security breaches should serve as a stern wake up call for insurers and other financial institutions to strengthen their cyber defenses.”
Of the 43 insurers surveyed, 21 were health insurers, 12 were property and casualty insurers and 10 were life insurers. The combined assets of the 43 insurers surveyed totaled approximately $3.2 trillion. The topics of the survey included the following:
- the insurer’s information security framework;
- the use and frequency of penetration testing and results;
- the budget and costs associated with cyber security;
- corporate governance around cyber security;
- the frequency, nature, cost of and response to cyber security breaches; and
- the insurer’s future plans on cyber security.
Of those surveyed, 58% reported that they experienced no cyber security breaches in the three years preceding the survey (excluding failed attempts) while 35% reported experiencing between one and five breaches, 2% reported experiencing between six and ten, and 5% reported experiencing more than ten breaches.
The DFS report also reflects discussions DFS has had with a cross-section of insurers and cyber security experts as well as its review of insurers’ statutorily required enterprise risk management (“ERM”) reports filed with the NY DFS for the first time in 2014.
According to the DFS report, “[o]nly one ERM report filed by the surveyed insurers provided in-depth identification and analysis of cyber security risks specific to the particular entity and discussed specific steps and ongoing projects to mitigate those risks.” In most ERM reports filed by surveyed insurers, cyber security was not specifically identified or discussed as a stand-alone material risk and, to the extent it was addressed, was discussed only in “broad terms as a subset of material operational risk.”
In a February 5, 2015 speech, Superintendent Lawsky highlighted a number of areas of concern:
- A company’s cyber security is only as strong as the cyber security of its weakest vendor. Accordingly, companies need to perform adequate due diligence on their vendors’ cyber security and obtain appropriate representations and warranties in their vendor contracts.
- Multi-factor authentication, e.g., a password plus a security token, should always be required for systems access. Allowing access by entering a single password is poor cyber security hygiene.
- Security breaches are almost inevitable, so companies need to put in place mitigators for when a breach occurs, such as strong encryption and restrictions on download, so hackers will be prevented from capturing sensitive data even if they penetrate the company’s firewall.
- The property and casualty insurance industry needs to focus on providing robust cyber security insurance coverage.
We will continue to monitor events in this rapidly developing area.