July 25, 2016 Law & Regulation

CyberSecurity: The next Regulatory Frontier for Insurance

By Kim O'Brien InsuranceNewsNet

Commentary

Cybersecurity has emerged as one of the most critical issues facing government and industry alike. Recently we have seen an ongoing and almost daily presence of major cybersecurity events covering a wide swath of American businesses.

According to a recent article at housingwire.com almost one in four consumers says that their financial data had been hacked online in the past two years. Housingwire.com cites a banking industry survey completed by Accenture, which is a global professional services company providing solutions in strategy, consulting, digital, technology and operations.

The report is based on an online survey of 4,013 bank customers in North America, with about 70 percent of respondents from the U.S and the remaining from Canada.

Despite 23 percent of respondents reporting financial data hacks, consumers are still willing to share their data in order to receive better service from their bank. About 63 percent of respondents are willing to give their bank direct access to personal information.

The Department of Homeland Security is serious about cybersecurity insurance, which is designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage.

The department believes that a robust cybersecurity insurance market could help reduce the number of successful cyber-attacks by: “promoting the adoption of preventative measures in return for more coverage; and encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection.”

However, many companies forego available policies because of perceptions about costs, coverage complexity and their vulnerability to a security breach. We spoke with a leading executive of a fixed annuity insurer who said he’s increasing worried over their company’s cybersecurity, acknowledging an increasingly high number of “pings” on their website from “suspicious” IP addresses.

The Department of Homeland Security National Protection and Programs Directorate (NPPD) has engaged key stakeholders to address this emerging cyber risk area and address these perceptions.

Traditional commercial general liability and property insurance policies typically exclude cyber risks from coverage, which has led to the emergence of cybersecurity insurance as a “standalone” line of coverage. That coverage typically offers protection against a wide range of cyber incident losses that businesses may suffer directly or cause to others, including costs arising from data destruction and/or theft, extortion demands, hacking, and denial of service attacks, among others.

Unfortunately, few cybersecurity insurance policies provide businesses with coverage for an area of growing private and public concern: the physical damage and bodily harm that could result from a successful cyberattack against critical infrastructure. And while cybersecurity insurance goes a long way to protect the assets of insurance companies, it does very little to protect consumers’ data.

Not surprisingly, the news headlines and incidents have attracted the attention of insurance regulators and industry trade organizations. The New York Department of Financial Services (DFS) has taken significant actions in the area of cybersecurity. Other U.S. state insurance regulators are likely to follow New York’s lead.

Insurance companies face unique risks in the area of cybersecurity because of the large amounts of personally identifiable and, in certain instances, health-related or financial information they collect and maintain. This information is an attractive target for hackers and cyber-terrorists.

The National Association of Insurance Commissioners (NAIC) established a Cybersecurity Task Force in 2015 and its 2016 “charges” include the monitoring of developments in the area of cybersecurity and advising, reporting and making recommendations to the NAIC Executive Committee on cybersecurity issues that have an impact on the insurance industry.

Importantly, for the consumer, the charges include reviewing the NAIC Insurance and Privacy Protection Model Act (#670); the Privacy of Consumer Financial and Health Information Regulation (#672); the Standards for Safeguarding Consumer Information Model Regulation (#673); and the Insurance Fraud Prevention Model Act (#680) and make recommendations to the Executive Committee.

And, last October, the NAIC issued a “Cybersecurity Bill of Rights,” which was developed to describe “the protections the NAIC believes consumers are entitled to from insurance companies, agents and other businesses when they collect, maintain and use your personal information, including what should happen in connection with a notice that your personal information has been involved in a data breach.”

Because, not all of these consumer protections are currently provided for under state law, the Bill of Rights will be incorporated into existing NAIC model laws and regulations.

While these regulatory initiatives are positive activities to help protect consumers, they are mostly governing the insurance companies and not the distribution entities that companies use to market and sell their products.

Americans for Annuity Protection has talked incessantly about the Department of Labor’s Fiduciary Rule and the harmful impact the rule’s requirements will have on consumers who seek the protection of annuities for their income needs.

Cybersecurity is yet another dangerous threat for consumer protection: its recordkeeping requirements for IRA annuity owners. The rule imposes additional recordkeeping compliance requirements on small-service providers, such as broker-dealers, registered investment advisers, insurance companies and agents, pension consultants and others providing investment advice to plans or IRA investors.

The final rule requires that the advisor making the IRA annuity rollover recommendation must keep records that demonstrate compliance with the rule; including adherence to Impartial Conduct Standards. That in turn requires demonstration of compliance with disclosure and material conflict of interests (for variable and fixed indexed annuities) and for fixed rate of interest documentation and defense for the rollover was in the best interest of the client.

Fiduciary documentation under the rule includes keeping records to establish that the recommendation met the risk tolerance, time horizon, financial objectives/goals, assets used to fund the annuity and financial experience of the consumer.

That means separately maintaining sensitive and private information about client’s personal assets, investment assets and guaranteed income expectations from social security and/or pensions, annuities and life insurance. Without cybersecurity protection for consumers, this rule adds to the very real and present danger of hijacked records and identity theft.

As part of its mission to ensure an effectively-regulated marketplace that fosters financial independence with guaranteed annuity income, Americans for Annuity Protection’s Board of Directors has approved our initiative to work with the NAIC and state regulators to address cybersecurity standards for advisors and firms that distribute to annuities to the public. Stay tuned as we bring you information about how to address this issue with appropriate regulation that encourages, not discourages, consumers’ access to annuities.

Mark your calendars for August 25th at 1 p.m. ET for an exclusive AAP webinar with “Just the Facts” about preparing for the DOL Rule with reliable and accurate information about what to expect and what you can do to prepare for any outcome.

Kim O’Brien is the vice chairman and CEO of Americans for Annuity Protection. She has 35 years of experience in the insurance industry. O’Brien served The National Association for Fixed Annuities (NAFA) for almost 12 years and led the organization to defeat the SEC’s Rule 151A.

Contact Kim at [email protected].