MEC&F Expert Engineers : NEW YORK TO CONDUCT "REGULAR, TARGETED ASSESSMENTS OF CYBERSECURITY PREPAREDNESS" FOR ALL INSURERS DOING BUSINESS IN THE STATE. ANNOUNCEMENT OF ASSESSMENTS FOLLOWS ANTHEM BREACH

Thursday, February 12, 2015

NEW YORK TO CONDUCT "REGULAR, TARGETED ASSESSMENTS OF CYBERSECURITY PREPAREDNESS" FOR ALL INSURERS DOING BUSINESS IN THE STATE. ANNOUNCEMENT OF ASSESSMENTS FOLLOWS ANTHEM BREACH



FEBRUARY 10, 2015

In the wake of the cyber-attack against health insurer Anthem Inc., New York's Department of Financial Services has announced plans to conduct "regular, targeted assessments of cybersecurity preparedness" for all insurers doing business in the state.

"Recent cybersecurity breaches should serve as a stern wake-up call for insurers and other financial institutions to strengthen their cyber defenses," says Benjamin Lawsky, superintendent of financial services at DFS. "Those companies are entrusted with a virtual treasure trove of sensitive customer information that is an inviting target for hackers."

Along with the cybersecurity assessments, DFS says it will "put forward" enhanced regulations requiring insurers to meet heightened standards for cybersecurity.

The news comes after Anthem, the second-largest U.S. health insurer, confirmed a compromise of its corporate database, which impacted up to 80 million individuals' personally identifiable information. The insurer believes that the attack began with phishing e-mails sent to a handful of its employees (see: Anthem Breach: Phishing Attack Cited).

Data security attorney Ronald Raether, partner at Faruki Ireland & Cox, predicts that some other states where there's greater political sensitivity to data security issues might launch similar increased scrutiny of insurers and others.

Given the amount of personal information insurance companies retain, "it seems almost implausible that it has taken this long for their cybersecurity capabilities to be formally assessed by regulators," says Al Pascual, director of fraud and security at Javelin Strategy and Research.

"States like New York and California have led the way on these types of regulatory issues, but the thinking at the federal level today is much more in sync with states' concerns on cybersecurity," Pascual says. Insurers throughout the country can expect to be held to similar standards in the not too distant future, "and it is likely that they will be held to task by either state or federal officials," he says.

In addition to its announcement about increased scrutiny of insurers, DFS issued a consumer alert for the 4 million New Yorkers enrolled in Empire Blue Cross Blue Shield, a unit of Anthem. The alert urged consumers to closely monitor their monthly financial statements and watch for phishing scams.
The New York agency's efforts follow a Feb. 6 announcement by the National Association of Insurance Commissioners that it plans to launch an examination of Anthem Inc. involving all state insurance commissioners (see: State Authorities Probe Anthem Hack).

N.Y. Focused on Cybersecurity
The New York agency's ramping up of scrutiny of cybersecurity at insurers comes just weeks after DFS notified banking institutions of expanded IT examination procedures (see: Will Banks Be Required to Have Cyber-Insurance?). In the department's list of expectations, it specifically notes that state banking regulators will expect to see policies related to cybersecurity insurance.

In conducting the cybersecurity assessments of insurers, DFS should build upon existing frameworks for security and compliance to help with consistency, says JD Sherry, vice president of technology and solutions at security vendor Trend Micro. "The assessments should focus less on point-in-time checks and more on reporting that demonstrates continuous security monitoring and compliance," he says. "This would also include analysis of third-party risks for processes and technologies that fall outside of their internal domains."

New Report Analyzes Security
DFS' cybersecurity assessment plans come on the heels of a new report the agency released on cybersecurity in the insurance industry.

A survey of 43 insurers found that 95 percent believe they have adequate staffing levels for information security. But the survey found that only 14 percent of CEOs receive monthly briefings on information security.

Eighty-one percent of the insurers surveyed reported that the percentage of their budgets allocated to information security had increased in the prior three years. "The good news is that budgets focused on improving information security and compliance appear to be increasing across the board," Sherry says.