And the Cyber-Beat Goes On. Yet Another Cyber Regulatory Focus for Insurers
Regulators and government agencies are sharpening their focus on the issues surrounding cyber risk. The number of pronouncements are too numerous to recite in a single client alert but the overarching message is clear – be prepared or be subject to attack. Attacks not only will come from hackers, customers, consumers and, ultimately the plaintiffs’ bar, but the regulators themselves. Vulnerability lies not only with cyber attacked companies but increasingly with the companies’ officers and directors who fail to adequately safeguard data.
On March 26, 2015, the New York Department of Financial Services (DFS) announced that it would be expanding its information technology examination procedures to focus on cyber risk. This effort was a follow-up to its February 8, 2015 announcement of new cyber assessments (See "Not Just Another Client Alert about Cyber-Risk and Effective Cybersecurity Insurance Regulatory Guidance," March 24, 2015). Not to be outdone, the National Association of Insurance Commissioners (NAIC) proposed a comprehensive and mandatory filing for property casualty insurers that would give regulators a full range of information and data on cyber risk exposures issued by carriers in the insurance market. This proposal comes on the heels of President Obama’s proposal, just two months ago, to create the Cyber Threat Intelligent Integration Center (CTIIC), a new federal agency designed to fight cyber attacks, provide collaboration and encourage information sharing between the Federal government and private industry.
Unlike the New York proposals and the CTIIC, whose efforts are principally designed to either collect information on cyber attacks or assess an insurer’s cyber readiness, the NAIC’s proposed filing focuses on insurers’ potential balance sheet exposures to cyber coverage. If adopted, the proposed filing will require insurers to provide a significant amount of data through a supplementary filing in property and casualty insurers annual statutory statements. Insurers will be required to file the supplement by April 1 of each year and, in effect, will require each insurer to separate out any form of cyber risk insurance coverage issued by the company under the terms of any policy, albeit a cyber risk policy, business interruption, commercial general liability or other policy. It is unclear whether this filing will cover only US situs risk or will reach non-US affiliates and non-US exposures as well or what standards an insurer should employ to assess whether a policy does or does not cover such risks, including indirect exposures.
Basically, the NAIC filing will allow regulators to better and more accurately assess the size of the cyber insurance market, the principle insurers in that market, how premium volume is attributable to cyber risk, and the markets’ claims exposures. According to the NAIC, this information will facilitate the development of its Principles for Effective Cybersecurity Insurance Regulatory Guidance, as issued just prior to the NAIC’s meetings in March 2015. The proposed filing could provide regulators with the first close look at the potential large scale industry exposure to the cyber risk area. As is, however, it will not capture much of the practical, systemic and operational exposures due, for example, to vendors, third party service providers and shared infrastructure, which are key areas for cyber exposure for most any company, and a focal point of the DFS.
All of this continued regulatory focus portends that insurers, brokers, agents and other intermediaries, including service providers and vendors to the industry, should be reviewing and updating their internal procedures regarding cyber risk, including all arrangements with third parties, consultants and independent contractors. Moreover, companies are on notice to implement protocols and install credentialed Chief Information Security Officers. Absent those steps, not only may companies be vulnerable to cyber exposure from hackers, viruses, and other invasive programs, but the companies and their directors and officers may be exposed to extensive (and expensive) litigation.
Copies of the NAIC’s Principles for Effective Cybersecurity Insurance Regulatory Guidance and the DFS’s announcements on February 8 and March 26 are available here:
- Principles for Effective Cybersecurity Insurance Regulatory Guidance
- NYDFS Announces New, Targeted Cyber Security Assessment for Insurance Companies - February 8, 2015
- Superintendent Lawsky Letter to Insurers on Cyber Security - March 26, 2015
For further information, please contact Robert Ansehl (212.631.4410; firstname.lastname@example.org).