FEBRUARY
10, 2015
In the wake
of the cyber-attack against health insurer Anthem Inc., New York's Department
of Financial Services has announced plans to conduct "regular, targeted
assessments of cybersecurity preparedness" for all insurers doing business
in the state.
"Recent
cybersecurity breaches should serve as a stern wake-up call for insurers and
other financial institutions to strengthen their cyber defenses," says
Benjamin Lawsky, superintendent of financial services at DFS. "Those
companies are entrusted with a virtual treasure trove of sensitive customer
information that is an inviting target for hackers."
Along with
the cybersecurity assessments, DFS says it will "put forward"
enhanced regulations requiring insurers to meet heightened standards for
cybersecurity.
The news
comes after Anthem, the second-largest U.S. health insurer, confirmed a
compromise of its corporate database, which impacted up to 80 million
individuals' personally identifiable information. The insurer believes that the
attack began with phishing e-mails sent to a handful of its employees (see: Anthem
Breach: Phishing Attack Cited).
Data
security attorney Ronald Raether, partner at Faruki Ireland & Cox, predicts
that some other states where there's greater political sensitivity to data
security issues might launch similar increased scrutiny of insurers and others.
Given the
amount of personal information insurance companies retain, "it seems
almost implausible that it has taken this long for their cybersecurity
capabilities to be formally assessed by regulators," says Al Pascual,
director of fraud and security at Javelin Strategy and Research.
"States
like New York and California have led the way on these types of regulatory
issues, but the thinking at the federal level today is much more in sync with
states' concerns on cybersecurity," Pascual says. Insurers throughout the
country can expect to be held to similar standards in the not too distant
future, "and it is likely that they will be held to task by either state
or federal officials," he says.
In addition
to its announcement about increased scrutiny of insurers, DFS issued a consumer
alert for the 4 million New Yorkers enrolled in Empire Blue Cross Blue Shield,
a unit of Anthem. The alert urged consumers to closely monitor their monthly
financial statements and watch for phishing scams.
The New
York agency's efforts follow a Feb. 6 announcement by the National Association
of Insurance Commissioners that it plans to launch an examination of Anthem
Inc. involving all state insurance commissioners (see: State Authorities Probe
Anthem Hack).
N.Y.
Focused on Cybersecurity
The New
York agency's ramping up of scrutiny of cybersecurity at insurers comes just
weeks after DFS notified banking institutions of expanded IT examination
procedures (see: Will Banks Be Required to Have Cyber-Insurance?). In the
department's list of expectations, it specifically notes that state banking
regulators will expect to see policies related to cybersecurity insurance.
In
conducting the cybersecurity assessments of insurers, DFS should build upon
existing frameworks for security and compliance to help with consistency, says JD
Sherry, vice president of technology and solutions at security vendor Trend
Micro. "The assessments should focus less on point-in-time checks and more
on reporting that demonstrates continuous security monitoring and
compliance," he says. "This would also include analysis of
third-party risks for processes and technologies that fall outside of their
internal domains."
New Report
Analyzes Security
DFS'
cybersecurity assessment plans come on the heels of a new report the agency
released on cybersecurity in the insurance industry.
A survey of
43 insurers found that 95 percent believe they have adequate staffing levels
for information security. But the survey found that only 14 percent of CEOs
receive monthly briefings on information security.
Eighty-one
percent of the insurers surveyed reported that the percentage of their budgets
allocated to information security had increased in the prior three years.
"The good news is that budgets focused on improving information security
and compliance appear to be increasing across the board," Sherry says.