Not Just Another Client Alert about Cyber-Risk and Effective Cybersecurity Insurance Regulatory Guidance
The prefix "cyber" was coined about 70 years ago to describe early stage computers, computer networks and virtual reality. Since then, the term has been used as a prefix for hundreds of words, however, the most recent (and newsworthy) usage is its link to the word “risk” and the correlative term “security.” Two sides of the same coin and not a day goes by when a data breach is not reported and the importance of cyber risk and cybersecurity underscored. Insurers, like other financial institutions, are at the forefront of the “cyber-curve.” Many insurers are particularly vulnerable on at least two fronts: (1) from a cyber risk/ cyber invasion perspective and; (2) an insurer’s insurance policy exposure, intentional and not, to third-parties under cyber policies, and even policies such as CGLs that may inadvertently cover such risks.
A number of federal and state regulators have spoken to this issue in an effort to address cyber risks with varying degrees of specificity. At last count, in addition to a myriad of existing and proposed state laws and regulations, there are at least nine federal Bills under consideration by Congress (covering six federal agencies including one new agency) that seek to impose regulatory requirements upon the cyber-arena. Those Bills empower six regulatory agencies; including one new agency. Initially, some states required companies to notify affected persons of a data breach. As breaches became more serious, state and federal regulators sought to increase the industry’s awareness of the potential exposures and provided instructions on appropriate steps to protect data from cyber invasions. Now, state insurance regulators are examining not only the threat of data theft, but the balance sheet impact of insurance exposures for underwriting such risks for third-parties’ under cyber risk policies. The regulatory efforts continue to multiply in an effort to stem some of these risks.
On February 8, 2015, the New York State Financial Services Department, Insurance Department (the DFS) announced new cybersecurity assessments intended to strengthen domestic insurance industry cybersecurity. Although still a work in process, the guidance appears to be focusing along a path similar to the DFS’s December 10, 2014, guidance regarding bank security preparedness, including:
- The management of cybersecurity issues, including the interaction between information security and core business functions, written information security policies and procedures, and the periodic reevaluation of such policies and procedures in light of changing risks;
- Resources devoted to information security and overall risk management;
- The risks posed by shared infrastructure;
- Protections against intrusion including multi-factor or adaptive authentication and server and database configurations;
- Information security testing and monitoring, including penetration testing;
- Incident detection and response processes, including monitoring;
- Training of information security professionals as well as all other personnel;
- Management of third-party service providers;
- Integration of information security into business continuity and disaster recovery policies and procedures; and,
- Cybersecurity insurance coverage and other third-party protections.
On March 12, 2015, the National Association of Insurance Commissioners (NAIC) exposed for public comment a draft of broad principles on cyber insurance oversight that includes the need for enhanced solvency oversight by insurers selling cyber insurance and information sharing. Less than four months later, and after a few regulator-only meetings, the NAIC formed a special task force to help coordinate insurance issues related to cybersecurity. A little more than a month after the Anthem Inc. data breach and on the heels of the disclosure of the Premera Blue Cross security breach, the NAIC proposed 18 principles covering issues from security of regulatory databases to solvency considerations for insurers. The NAIC’s principles for effective cybersecurity and insurance regulatory guidance include:
- Insurance regulators have a significant role and responsibility regarding protecting consumers from cybersecurity risks.
- Insurance regulators have a significant role and responsibility regarding the insurers’ efforts to protect sensitive customer health and financial information.
- Insurance regulators have a significant role and responsibility in protecting the sensitive information housed in insurance departments and at the NAIC.
- Insurance regulators recognize the value of collaboration in the development of regulatory guidance with insurers, insurance producers, consumers and the federal government with the goal of a consistent, coordinated national approach.
- Compliance with cybersecurity regulatory guidance must be flexible, scalable, practical and consistent with the national efforts embodied in the National Institute of Standards and Technology framework.
- Regulatory guidance must consider the resources of the insurer or insurance producer.
- Effective cybersecurity guidance must be risk-based and threat-informed.
- Insurance regulators should provide appropriate regulatory oversight, which includes but is not limited to, conducting risk-based, value-added financial examinations and/or market conduct examinations regarding cybersecurity.
- Planning for crisis response for insurance regulators, insurers, and insurance producers is an essential component to an effective cybersecurity program.
- The effective management of cybersecurity by third-parties and service providers is essential for protection of consumer’s sensitive personal health and financial information.
- Information sharing is important for risk management purposes; however, it must be limited to essential cybersecurity information and protect sensitive confidential information.
- Cybersecurity risks should be included and addressed as part of an insurers and insurance producers Enterprise Risk Management processes.
- High level information technology internal audit findings should be discussed at the insurers and insurance producers Board of Director meetings.
- It is essential for insurers and insurance producers to join Financial Services Information Sharing and Analysis Center to share information and stay informed about cyber and physical threat intelligence analysis and sharing.
- Sensitive data collected and stored and transferred inside or outside of an insurers or insurance producers network should be encrypted.
- Periodic and timely training for employees of insurers and insurance producers regarding cybersecurity issues is essential.
- Enhanced solvency oversight is needed for insurers selling cyber insurance to businesses and families.
- Additional data on the sale of cyber insurance products should be collected to assist insurance regulators with oversight of financial and market regulation
The draft principles emphasize that it is "essential for insurers and insurance producers to join [the] Financial Services Information Sharing and Analysis Center to share information and stay informed about cyber and physical threat intelligence analysis and sharing."
In its March 12 release of the draft, the NAIC did not elaborate on the principles as initiatives, or whether any of them could one day become draft model laws to be considered by various NAIC committees, which could develop guidance for financial condition oversight of companies or accreditation standards for states. One principle that could later have balance sheet implications for insurers states that "enhanced solvency oversight is needed for insurers selling cyber insurance to businesses and families." Thus far, the NAIC has not elaborated on whether states should require the oversight, or through what method of application it would be implemented. At this point, it appears that the NAIC has merely suggested that these principles are intended to establish insurance regulatory guidance that promotes regulator-industry relationships and protects consumers and the insurance industry.
The draft principles recognize the resources of insurers and producers, stating that compliance with cybersecurity regulatory guidance must be flexible, scalable and practical. They also highlight the NAIC’s support for insurance industry consistency with the national efforts grounded in the National Institute of Standards and Technology framework. One proposed principle reflects a big concern of regulators in New York as well as officials at the U.S. Treasury Department in terms of cybersecurity vulnerability - the effective management of cybersecurity by third-party vendors and service providers.
Finally, at least one credit rating agency, Fitch Ratings, has implied that its rating criteria may include an insurer’s cyber liabilities under insurance policies (including not only so-called cyber risk policies but CGL’s and policies that cover business interruption insurance) due to “significant” potential losses that may arise and the difficulty in properly modeling the exposures under traditional actuarial methodologies.
It is clear that the NAIC has fast-tracked these principles for adoption. The principles will be addressed at the NAIC Spring National meeting in Phoenix, with a March 29 proposed vote to consider adoption of the principles at its Executive Committee meeting. We will be attending this meeting and, upon request, will be happy to provide further information or a special briefing on this or other issues. In the meantime, insurance companies, insurance intermediaries, and third-party providers to regulated entities, should review the NAIC draft principles in light of their current systems and potential capabilities.
If we can be of assistance or you would like a copy of the NAIC’s draft Principles for Effective Cybersecurity Insurance Regulatory, please contact Robert Ansehl (212.631.4410; firstname.lastname@example.org).