True to its inherent conservatism, the insurance industry has adopted a slow and steady approach to managing cyber risks. Insurers have created new forms of insurance to deal with cyber breaches, and regulators have begun to provide a legal framework for reducing industry exposure to major losses such as 2017’s Equifax breach.
Still, the regulatory framework has evolved more slowly than in the investment-advisory or securities brokerage industries, in part due to the conservatism just mentioned and also due to the fragmented nature of insurance regulation. Although the investment-advisory and securities industries have powerful national regulators who have acted decisively to counter cyber risks (SEC and FINRA), insurance regulation is divided among 50 state insurance departments. A national body—the National Association of Insurance Commissions—lacks broad regulatory authority. Its work consists of creating model statutes for individual state legislature guidance. For example, its Insurance Data Security Model Law was just adopted in late 2017, with multiple state jurisdictions likely to consider it over the next few years.
Slow and steady, however, does not imply weak. When it became clear that cyber-risks posed a serious threat to the industry, the NAIC formed a Cybersecurity Task Force in 2014 to co-ordinate the body’s response. One of the first things it did was draft a document entitled Principles for Effective Cybersecurity: Insurance Regulatory Guidance. Rationale: “Due to ever-increasing cyber-security issues, it has become clear that it is vital for state insurance regulators to provide effective cybersecurity guidance regarding the protection of the insurance sector’s data security and infrastructure,” the NAIC said. “The insurance industry looks to state insurance regulators to aid in the identification of uniform standards, to promote accountability across the entire insurance sector, and to provide access to essential information.”
Based on that statement, you’d be justified thinking the document is for insurance regulators only. But it’s not. Six out of its 12 principles address insurance agent and agency factors. Reviewing them will help you formulate your own cybersecurity policies:
- Confidential and/or personally identifiable consumer data that is collected, stored, and transferred inside or outside of an insurer’s, producer’s, or other regulated entity’s network should be appropriately safeguarded.
- Planning for incident response by insurers, insurance producers, other regulated entities, and state insurance regulators is an essential component to an effective cybersecurity program.
- Insurers, insurance producers, other regulated entitles, and state insurance regulators should take appropriate steps to ensure that third parties and service providers have controls in place to protect personally identifiable information.
- Cybersecurity risks should be incorporated and addressed as part of an insurer’s or insurance producer’s enterprise risk management (ERM) process. Cybersecurity transcends the information technology department and must include all facets of an organization.
- It is essential for insurers and insurance producers to use an information sharing and analysis organization (ISAO) to share best practices and stay informed regarding emerging threats or vulnerabilities, as well as physical threat intelligence analysis and sharing.
- Periodic and timely training, paired with an assessment, for employees of insurers and insurance producers, as well as other regulated entities and other third parties, regarding cybersecurity issues, is essential.
Another facet of the Task Force’s work addressed the impact cyberbreaches have on consumers. To provide clarity, it created a “Roadmap for Cybersecurity Consumer Protections,” which is essentially a consumer bill of rights regarding how insurers, agents, and agencies should safeguard customer data and respond to data breaches. The task force envisioned insurance consumers having rights in six broad areas, including:
- The ability to know the types of personal information insurers and agents collect and store.
- The expectation that their insurer or agent will take reasonable steps to keep unauthorized persons from seeing, stealing, or using their personal information.
- The right to get a notice from their company or agent in the event their personal data falls into the hands of an unauthorized person. If this happens, consumers can expect the response to be sent in writing via first-class mail or via e-mail; to arrive promptly, but in no case more than 60 days after the data breach is discovered; to describe the type of information that was released or stolen and provide steps for consumers to protect themselves against resulting identity theft or fraud; to describe the actions taken to keep the consumer’s released or stolen information safe; to include contact information for the three major credit bureaus, as well as that of the insurer and agent involved.
- The right to a number of credit-agency related actions, including the ability to put a 90-day fraud alert, a seven-year extended fraud alert, and a freeze on their credit report.
The capstone of NAIC’s cybersecurity effort is the recently adopted Insurance Data Security Model Law. The measure, which was enacted in October 2017, creates rules for insurers, agents, and other licensed entities covering data security, investigation, and notification of breach. It includes maintaining an information security program based on ongoing risk assessment, overseeing third-party service providers, investigating data breaches, and notifying regulators of a cybersecurity event. Although the ultimate impact of this model rule won’t be known until states begin adopting it, it’s fair to say it encourages insurers, agents, and agencies to significantly raise their games when it comes to assuring cybersecurity.
However, one state beat the NAIC’s data security model law to the punch: New York. As we wrote about previously, the measure requires insurance and financial-services firms doing business in New York to assess their cybersecurity risks and to create robust risk management programs. It targets not only large financial institutions such as insurers and banks, but also smaller firms such as insurance agencies and brokerages.
At a high level, the New York law, starting on March 1, 2017, mandated that regulated entities adopt a rigorous cybersecurity program, consisting of the following elements:
- Completing a risk assessment. See this checklist.
- Establishing a security program and policies. See this policy template (IIABNY membership required).
- Limiting and periodically reviewing assess privileges.
- Being prepared to give notice of a cybersecurity event using the NY DFS form.
- Preparing an incident response plan (non-exempt entities only).
- Hiring a CISO (non-exempt entities only).
With New York in the cybersecurity regulatory vanguard and the NAIC promulgating its own model law, one can safely assume many more states will jump on board, either enacting the NAIC law or developing their own statute. In either case, insurance agents and agencies will soon be required to adhere to stricter cybersecurity standards than they have in the past. Much like their colleagues in the investment-advisory and security brokerage worlds, regulators will hold their feet to the fire to make sure customer data remains safe and secure. The transition to tighter cyber-regulations may not be entirely painless. But the outcome should prove beneficial to all concerned.