Tag Archives: department of financial services

Insurers’ Call Centers: a Cyber Weakness?

Two years ago, the New York State Department of Financial Services (DFS) released a report on cybersecurity in the insurance sector after surveying 43 insurers with more than $3.1 trillion in assets. The report revealed that 35% of these companies experienced between one and five data breaches within the previous three years. This statistic represents only confirmed breaches (not attempted attacks), and the consequences for affected insurers included actual financial losses from lost customer business, legal defense and damaged brand reputation.

Fast forward to today, and it’s no surprise that the DFS is preparing to launch a new regulation on March 1 that requires banks, insurance companies and other financial services institutions it regulates to establish and maintain a cybersecurity program. The first of its kind in the U.S., this regulation aims to protect New York consumers and financial institutions from the ever-growing threat of cyberattacks. But, like any other industry-wide regulation, this proposed mandate is not without its challenges.

See also: 10 Cyber Security Predictions for 2017  

A key provision in the proposal is the requirement for encrypting non-public information (NPI) — such as payment card numbers, Social Security numbers (SSN), drivers license numbers and other security codes, both in-transit and at-rest. For insurance companies that routinely capture and store this information in their call centers and other areas of business, protecting NPI will be especially challenging. Most insurers record customer calls, thereby housing payment card numbers and other NPI in their physical and IT infrastructure. While many insurers utilize the practice of “stop/start” to block this data from recordings, this method creates additional security and governance concerns. Insurers that need to record 100% of calls to demonstrate compliance to other existing legislation and are using stop/start are now not recording the entire call. That not only means that they are not compliant but that they are also opening up opportunities for illicit activity to occur while the call is stopped. Yes, NPI is kept out of the call center’s infrastructure, but it is still exposed to agents — further complicating the entire effort to secure customer data. Data will also still need to be encrypted, meaning stop/start isn’t enough….

The most effective way to protect sensitive information, eliminate insecure practices and resolve broken processes to avoid potentially costly penalties and a tainted brand reputation is to abide by the saying: “They can’t hack what you don’t hold.” In short, keep NPI and other sensitive data out of the call center altogether. Insurers should implement a solution that encrypts data as it is collected and in-flight, as well as reducing stockpiles of data at rest that is just waiting to become exposed in the next big breach.

Despite the undoubted challenges it will bring, the New York DFS cybersecurity regulation is a step in the right direction because it starts to create much-needed standardization in the way insurers and their call centers handle sensitive information. To emphasize this point, we recently spoke with call center agents at 10 of the leading U.S. insurance companies. We found that there is a lack of a uniform approach in data security measures, especially when it comes to how sensitive information is removed from call recordings (and those insurers using stop/start still have NPI data elsewhere in the estate and are now not recording 100% of calls). Agents gave a wide range of answers — from using stop/start, to redacting information after the fact, to deleting the full recording after 30 days. This is in sharp contrast to the U.K., where a growing number of call centers are adopting an operating procedure that uses dual-tone multi-frequency (DTMF) masking and a secure, separate environment for encrypting data. Shouldn’t all insurers handle their data in the same, secure manner?

See also: Data Security Critical as IoT Multiplies  

While the New York DFS regulation is the first of its kind, it most certainly won’t be the last. We will now likely see other cybersecurity regulations crop up in the coming years that help standardize how financial institutions secure their data. Because this regulation affects all who conduct business in New York, it draws parallels to the pending EU General Data Protection Regulation (EU GDPR). Taking effect in May 2018, the EU GDPR will affect all businesses that hold or process data pertaining to EU citizens — no matter where they reside. Indeed, we are seeing all signs pointing toward greater standardization of data security across industries and borders. Insurers in New York and beyond must begin looking at solutions — now — to help simplify their compliance efforts and protect their customers and their reputations.

Cyber Rules May Be Only Weeks Away

Last September, New York’s Department of Financial Services (DFS) took a major step forward in its efforts to improve the cybersecurity posture of financial institutions (including banks and insurance companies) by proposing the first-in-country cybersecurity regulations.  By any measure, the proposed regulations are comprehensive and demanding, and admittedly are intended by DFS to be “groundbreaking.”  The proposal contains a number of prescriptive requirements that are substantially more rigorous than current best practices and would require major operational changes for many organizations.

Key Components  

The regulations would require entities to fulfill a variety of requirements, including the establishment of a cybersecurity program, and the adoption of a cybersecurity policy, which must be approved by the board or by a senior officer, and which encompasses key risk areas including information security, access controls, business continuity, data privacy, vendor management and incident response.

See also: If the Regulations Don’t Fit, You Must…  

The proposal would also require covered entities to designate a chief information security officer (CISO), who will be responsible for implementing, overseeing and enforcing the cybersecurity program and policy. The CISO would need to develop a report, at least bi-annually, that addresses a prescribed list of issues. The report would then be presented directly to the company’s board. The board chair or a senior office would be required to submit an annual certification of compliance with the regulations, which might expose the individual to liability if the entity is, in fact, noncompliant.

In addition, the proposed regulations broadly define a “cybersecurity event” as “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an information system or information stored on such information system.” The covered entity would be required to notify the superintendent of financial services within 72 hours of any such event if it “has the reasonable likelihood of materially affecting the normal operation of the covered entity or that affects nonpublic information.” This raises the question of how an unsuccessful attack could ever have a reasonable likelihood of materially affecting operations or protected information. But a fair reading of the reporting mandate in light of the definition would not appear to allow for blanket disregard of failed attacks, even though major financial institutions thwart countless potentially devastating attacks on a daily basis. If this proposed requirement becomes part of the final regulation, the burden on covered entities and the DFS itself may be quite substantial.

Covered entities also would need to encrypt nonpublic information in transit and at rest. Although compensating controls approved by the CISO can be used if encryption is not currently feasible, the regulations would impose deadlines of January 2018 and January 2022 for encryption of data in transit and at rest, respectively. Encryption of at-rest data is likely to be one of the most challenging DFS requirements.

The proposed regulations contain many additional requirements, including:

  • Implement a fully documented incident response plan;
  • Maintain audit logs on system changes for six years;
  • Annually review and approve all policies and procedures:
  • Dispose of, in a timely manner, sensitive information that is not needed to provide services;
  • Use multi-factor authentication for privileged access to database servers that allow access to nonpublic information;
  • Adopt policies, procedures and controls to monitor authorized users and detect unauthorized access; and
  • Institute mandatory cybersecurity awareness training for all personnel.

See also: Huge Cyber Blind Spot for Many Firms

DFS is currently reviewing comments received from the public, but it is not known if the proposed requirements will change in any material way when they go into effect on the anticipated date of Jan. 1, 2017. Covered entities would then have only 180 days to comply with many requirements.

Concluding Thoughts 

Although large financial institutions may already have implemented a number of the mandates proposed by DFS, compliance still may be problematic for them because of the prescriptive nature of many of the components of the proposed regulations. And less mature entities would be well served to immediately focus on getting into compliance with the most basic requirements, given their virtually inevitable inclusion in the final regulations and the short deadline for compliance.