August 21, 2015
7 Key Changes for Insurers’ Cybersecurity
by Joseph Nocera and Christopher Morris
U.S. banks and payment processors have led the way on cybersecurity. It’s time for insurers to catch up.
Recognizing the need for better cybersecurity in the insurance sector, the National Association of Insurance Commissioners (NAIC) recently published “Principles for Effective Cybersecurity: Insurance Regulators Guidance.” High-profile data breaches at several health insurance providers exposed data on 90 million consumers, revealing the industry’s vulnerability. So the NAIC document provides best practices for insurance regulators and companies, focusing on the protection of the sector’s infrastructure and data from cyber-attacks.
Thus far, U.S. banks and payment processors have led the way on cybersecurity, both because they have been frequent targets of cyber-attacks and because of strong regulatory enforcement (e.g., FFIEC, GLBA, and PCI DSS). It’s time for insurance companies to play catch-up, and the NAIC is spurring them on.
As a result, we anticipate seven changes:
- An increase in cybersecurity regulations;
- A focus on consumer privacy;
- An increase in cybersecurity spending;
- The growing importance of cybersecurity information-sharing and analysis groups;
- The board’s and management’s involvement in cybersecurity;
- The increased need to manage third-party risks; and
- The link between cybersecurity and risk management.
The NAIC is the standard-setting and regulatory-support organization created and governed by the chief insurance regulators from the 50 states, the District of Columbia and five U.S. territories. But individual state and territorial regulators oversee the insurance companies’ practices within their jurisdictions. Only a few states (e.g., New York, California and Massachusetts) have actually enacted data protection laws that apply to the insurance sector. Thus, most individual regulators have been left to their own devices when it comes to cybersecurity practices, particularly given that there is no central regulator defining industry standards and no uniform set of requirements. Consequently, individual regulators on the whole have been using different standards when examining cybersecurity practices, with cybersecurity requirements varying state-to-state.
The NAIC became involved to help both insurance regulators and companies. Specifically, it conducted a multi-state examination of a breached insurer’s cybersecurity practices and determined what actions the company could have taken to minimize its data loss. The NAIC then published two documents related to cybersecurity:
- “Principles of Cybersecurity” – Created by the NAIC’s cybersecurity task force (formed in November 2014), the document is intended to (a) help insurance regulators identify cybersecurity risks and communicate a uniform set of control requirements to their covered entities and (b) promote cooperation between regulators and the insurance industry in identifying and addressing cybersecurity risks. The document applies to state regulators and insurers, insurance producers and other regulated entities (“covered entities”); and
- “Annual Statement Supplement for Cybersecurity” – The NAIC’s property and casualty insurance committee created this document to establish requirements for insurers that provide cyber coverage. It requires insurers to report the range of limits offered on cyber insurance policies (both stand-alone and commercial, multi-peril packages), losses paid under each policy, earned premiums, whether policies are claims-made policies and whether tail coverage is offered.
Principles of Cybersecurity
- Should ensure that confidential and personally identifiable information (PII) that covered entities hold is protected from cybersecurity risks.
- Should mandate that insurance providers have systems in place to alert consumers in a timely manner of cybersecurity breaches. Insurance regulators should collaborate with insurers, insurance producers and the federal government to achieve a consistent, coordinated approach.
- Should protect covered entities’ confidential information and PII that is collected, stored and transferred inside or outside of an insurance department or at the NAIC. In the event of a breach, those affected should be alerted in a timely manner.
- Should deliver flexible, scalable and practical cybersecurity regulatory guidance for covered entities that is consistent with nationally recognized efforts such as those embodied in the National Institute of Standards and Technology (NIST) framework.
- Should make regulatory guidance risk-based and consider the resources of the covered entities, with the caveat that a minimum set of cybersecurity standards must be in place for all covered entities that are physically connected to the Internet, regardless of size and scope of operations.
- Should provide appropriate regulatory oversight, including conducting risk-based financial examinations or market conduct examinations regarding cybersecurity.
- Should appropriately safeguard customer PII that is collected, stored and transferred inside or outside of a covered entity’s network.
- Should implement incident response planning activities as part of a cybersecurity program, including conducting cyber incident response tabletop exercises.
- Should take appropriate steps to ensure that third parties and service providers have controls in place to protect PII. This may include third-party assessments to understand service providers’ current controls environments.
- Should incorporate and address cybersecurity risks as part of the enterprise risk management process. Cybersecurity transcends the information technology department and must include all facets of an organization.
- Should have a board of directors or its appropriate committee review information technology audit findings that present a material risk to an organization.
- Should participate in an information-sharing and analysis group to share information and stay informed regarding emerging threats or vulnerabilities.
- Should consider periodic and timely training, paired with an assessment, to be an essential component of all cybersecurity programs.
What Should Insurance Companies Expect?
Over the next few years, we anticipate many changes in the insurance sector related to cybersecurity, including:
- Increase in Cybersecurity Regulations – According to PwC’s recently released “The Global State of Information Security Survey,” cybersecurity regulation within the financial services industry is only expected to increase in 2015 and beyond. Based on the NAIC’s guidance, we expect the various U.S. states and their insurance regulators to pass cybersecurity regulations to ensure that covered entities have adequate controls in place to protect consumer PII. Covered entities will be required to demonstrate resilience to cyber-attacks, including malware attacks, insider threats, data corruption and destruction and denial of service attacks.
- Focus on Consumer Privacy – In addition to cybersecurity regulations, covered entities will be expected to comply with privacy regulations. The Consumer Privacy Bill of Rights, which the Obama administration proposed, includes provisions mandating transparency, individual control, respect for context, focused collection and responsible use, security, access and accuracy and accountability. If passed into law, the Consumer Privacy Bill of Rights would require covered entities to provide transparent descriptions of their data collection practices, and to limit how and what data they collect. Additionally, global data privacy laws, such as the European Union’s General Data Protection Regulation, increase compliance obligations of U.S. insurance companies doing business globally.
- Increase in Security Spending – To implement adequate controls and comply with the regulatory requirements, covered entities will increase their cybersecurity spending. According to the New York State Department of Financial Services (NYDFS) study, “Report on Cyber Security in the Insurance Sector,” released in February 2015, 86% of insurers expect their security budgets to increase in the next three years. The study noted that only 51% of insurers had budgeted for cybersecurity incidents.
- Importance of Information Sharing Organizations – Information-sharing will be an essential part of insurance companies’ cybersecurity strategies. We expect to see more insurance companies join Information Security and Analysis Centers (ISAC), such as FS-ISAC, or the recentlyannounced insurance ISAO.
- Board and Management Involvement – For organizations to better address cybersecurity threats and regulatory guidance, we anticipate a push to increase senior management and board involvement in cybersecurity issues and decision-making. According to the NYDFS study, only 30% of boards receive updates on cybersecurity issues on a quarterly basis.
- Managing Third-Party Risks – Concerns will grow around third-party risks and potential cybersecurity threats that can arise when sharing networks with business partners. Covered entities will be expected to demonstrate adequate oversight of their service provider relationships.
- Link Between Cybersecurity and Risk – As cybersecurity incidents continue to proliferate, organizations must reposition their security strategies to align closely with their broader risk-management activities.