New York Regulator Announces Plans to Conduct Targeted Cybersecurity Examinations of Insurance Companies, Issue Standards
On February 8, 2015, the New York State Department of Financial Services ("NYDFS") announced that it will soon begin making targeted cybersecurity assessments of insurance companies and that it plans to issue regulations setting heightened security standards. The announcement coincides with the agency's release of a Report on Cyber Security in the Insurance Sector (the "Report"), which provides a cross-section review of the cybersecurity practices and experiences of 43 insurance providers. The Report also reflects a growing trend by state regulators seeking to promote better safeguards of consumer information.
Although the Report covers the full range of NYDFS-regulated insurance companies, nearly half of the entities surveyed are in the health insurance sector. Health insurers typically possess vast amounts of protected health information and hence are a significant focus of the Report and the agency's reference to future actions. NYDFS gave few details about its regulatory agenda but did explain an intention to start acting in the "coming weeks and months." The following provides a basic overview of the Report.
Report Describes Industry Practices and Cybersecurity Gaps
The Report surveys the state of cybersecurity preparedness in the insurance sector and identifies the areas that might become the subject of regulatory oversight. The Report confirms the broad reach of cyber threats: about 42 percent of large and small insurers reported having experienced at least one breach within the last three years.
NYDFS expressed concern that some companies still do not conduct cybersecurity audits of their third-party service providers. Under agreements with insurance companies, third-party vendors often receive access to protected data, but they may not be subject to the company's cybersecurity program. NYDFS plans to impose heightened requirements on these third-party vendors through new regulations for insurers. Additionally, NYDFS encouraged insurers to participate in information-sharing activities, such as the Financial Services–Information Sharing and Analysis Center ("FS–ISAC") that, among other things, helps identify threats experienced by participating members.
Other notable findings in the Report include:
- Most surveyed companies have designated information security executives, although only 14 percent said their CEOs receive monthly briefings on cybersecurity.
- Thirty-three percent of the companies that experienced a data breach did not consider the breach sufficiently significant to warrant notification to any third party. Also, most firms reported suffering no financial loss and having no cases of identity theft from the breaches.
- More than 95 percent of insurers reported having adequate staffing levels for information security, corresponding with increases in budgets that most security departments experienced over the last three years.
States Trending Toward More Active Oversight of Information Security
These announcements come on the heels of other cybersecurity initiatives recently adopted in New York. At the end of last year, NYDFS issued guidance to its banking sector regarding the agency's new procedures for examining cybersecurity programs of banks. Separately, as of 2014, NYDFS requires certain insurance companies to file annual enterprise risk management ("ERM") reports identifying material risks to their operations. According to the Report, most of the initial ERM filings by insurers do not disclose cybersecurity as a stand-alone risk. The authors of the Report expect future ERM filings will include more frequent, and more detailed, discussions of cybersecurity risks.
These recent actions follow a concerted effort among states to provide regulatory oversight for cybersecurity preparedness in the absence of federal standards. In November 2014, the National Association of Insurance Commissioners established a special task force charged with exploring potential frameworks that state insurance examiners could use in assessing insurance companies' cybersecurity programs.
In light of these policy developments, insurers should review the Report and continue monitoring the regulatory activities of New York and other states.
For further information, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com.
Scott A. Edelstein
Washington / Los Angeles
+1.202.879.5572 / +22.214.171.1240
John E. Iole
Lisa M. Ledbetter
Mauricio F. Paez
Matthew R. Bowles, an associate in the Washington Office, assisted in the preparation of this Alert.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.