N.Y. Announces New, Targeted Cybersecurity Assessments for Insurers
New York State Department of Financial Services (DFS) today released a report on cybersecurity in the New York insurance industry and announced a series of measures that DFS will take to help strengthen cyber hacking defenses at insurers.
DFS announced that “in the coming weeks and months,” DFS expects to proceed with a number of initiatives to help strengthen cybersecurity at its regulated insurance companies.
These initiatives will include integrating regular, targeted assessments of cybersecurity preparedness at insurance companies as part of the department’s examination process; putting forward enhanced regulations requiring institutions to meet heightened standards for cybersecurity; and exploring stronger measures related to the representations and warranties insurance companies receive from third-party vendors, and other measures.
“Recent cybersecurity breaches should serve as a stern wake up call for insurers and other financial institutions to strengthen their cyber defenses,” said New York Department of Financial Services Superintendent Benjamin M. Lawsky. “Those companies are entrusted with a virtual treasure trove of sensitive customer information that is an inviting target for hackers. Regulators and private sector companies must both redouble their efforts and move aggressively to help safeguard this consumer data.”
DFS’s report released today is based on a survey of 43 insurance entities that was conducted in 2013 and 2014. Of the total 43 insurance providers that completed DFS’s cybersecurity questionnaire, 21 were health insurance providers, 12 were property/casualty insurance providers, and 10 were life insurance providers. The reported assets of each entity surveyed range from $4 million to $403 billion, with combined assets of approximately $3.2 trillion for the 43 entities.
In the survey, 58 percent of insurers reported that they experienced no cybersecurity breaches in the three years preceding the survey, excluding failed attempts. Still, 35 percent reported experiencing between one and five breaches, 2 percent reported experiencing between six and 10, and 5 percent reported experiencing more than 10 breaches.
The insurers reported being the targets of a range of different hacking techniques, including: intrusive, malicious software or “malware”; email scams or “phishing”; techniques to gain control of networked computers, such as botnets or zombies; and pharming attacks, which are attempts to redirect a website’s traffic to a fake site.
The survey said that despite the variety of hacking techniques employed against the insurers surveyed and the number of breaches they experienced collectively, the institutions reported experiencing “relatively few negative effects” as a result of the breaches or hacking attempts. The survey said 12 percent of the insurers reported disruption to their telecommunications networks as a result of a breach, 7 percent reported insider access breaches, 5 percent reported account takeovers, and 2 percent reported data integrity breaches. None reported identity theft, third-party payment processor breaches, supply chain infiltration, or website defacement.
The survey also found that the majority of insurers (70 percent) reported suffering no financial loss in the past 12 months as a result of cybersecurity breaches, 23 percent reported suffering a loss of less than $250,000, 2 percent reported a loss of between $251,000 and $500,000, and one institution reported a loss of between $6 million and $10 million.
Information Security Strategy
When asked about their security strategy, over half of the insurers surveyed reported that their organization’s current information security strategy adequately addresses new and emerging risks, while 40 percent reported a need to modify their strategies to address new and emerging risks, and 14 percent said they need to investigate further to understand new and emerging risks.
DFS’s analysis of the insurers surveyed found that a wide array of factors — not just reported assets — affect the sophistication and comprehensiveness of the insurers’ cybersecurity programs. DFS said that in other words, although it may be expected that the largest insurers would have the most robust and sophisticated cyber defenses, the department did not necessarily find that to be the case.
Moreover, the DFS survey found that 95 percent of insurers already believe that they have adequate staffing levels for information security and only 14 percent of chief executive officers receive monthly briefings on information security.
“For financial institutions in general — and insurance firms in particular — cybersecurity is an increasingly important area of focus within their organizations,” the DFS report stated. “Nevertheless, most institutions report that they continue to be challenged by the sophistication of cybersecurity threats and the speed at which technology is changing.”
“In light of the continuing cybersecurity challenges facing the financial services industry, the department has been focusing its attention on how it can foster improved cybersecurity across the industry and provide guidance to better protect both financial institutions and their customers,” the DFS report stated.
The DFS report also stated that over the past several months, the department has met with a number of insurance providers and brokers to better understand the evolution of the cyber insurance market and the various types of cybersecurity insurance products and service that are currently on the market.
“As with other types of insurance in the past, the growth of the cybersecurity insurance market could foster higher standards across the market. The department is currently considering the ways in which it can support and encourage the development of the cybersecurity insurance market,” the report stated.
DFS said it will continue to engage in discussions with financial institutions and cybersecurity experts to understand the evolving challenges the institutions face.
DFS also said it is in the process of revising its cybersecurity examination processes, which includes the development of extensive training programs for its IT examiners so that they are prepared to identify vulnerabilities in the institutions and work with the institutions to implement the appropriate solutions. “The department believes that such cooperation and dialogue is essential to developing smart and effective cybersecurity programs across New York’s financial services industry,” the report stated.
In addition to today’s report and actions related to the insurance industry, DFS has also taken a series of steps to help strengthen cybersecurity in the banking sector. In December 2014, DFS issued industry guidance to all its regulated banks outlining the specific issues and factors on which those institutions will be examined as part of new targeted, DFS cybersecurity preparedness assessments.
In addition, DFS has also issued a consumer alert for Anthem (the owner of Empire Blue Cross Blue Shield) in light of the recent data breach at that company. DFS said there are more than 4 million Empire Blue Cross Blue Shield customers in New York.
February 10, 2015