Insurers Asleep on Cyber Risk, N.Y. Says

InsuranceNewsNet

WASHINGTON – Insurers are asleep at the switch in protecting their systems against cyber attacks, according to a warning from New York.

As a result, the N.Y. Department of Financial Services (DFS) said on Monday that it plans a number of initiatives in coming weeks to concentrated the industry’s focus on the issue.

These include integrating regular, targeted assessments of cyber security preparedness at insurance companies as part of the DFS examination process; putting forward enhanced regulations requiring institutions to meet heightened standards for cyber security; and exploring stronger measures related to the representations and warranties insurance companies receive from third-party vendors; along with other measures.

“Recent cyber security breaches at financial institutions and other major corporations should serve as a wake-up call for insurers to redouble their efforts to strengthen their cyber defenses – particularly given the level of sensitive consumer information that insurers are entrusted with handling,” the DFS said.

The comments were contained in a report on a survey conducted by the DFS of the initiatives insurers doing business in New York are taking to deal with potential cyber threats.

The document was released Monday, just a few days after Anthem disclosed that it had learned in late January that hackers had gained access to a vast array consumer information. This included member names, member health identification numbers, dates of birth, Social Security numbers, addresses, telephone numbers, email addresses, employment information and income data.

The breach was only the latest of several high-profile cases. The DFS said that it found through its survey that although it may be expected that the largest insurers would have the most robust and sophisticated cyber defenses, “the Department did not necessarily find that to be the case.”

Moreover, the department said it found that 95 percent of insurers already believe that they have adequate staffing levels for information security and only 14 percent of CEOs receive monthly briefings on information security.

The DFS said it believes that is inadequate because cyber attacks against financial services institutions, including insurance companies, are “becoming increasingly frequent and sophisticated.”

The survey found that insurance firms often possess large amounts of personally identifiable information (PII) and protected health information (PHI). The department said it had determined that safeguarding such information in digital format is “technologically challenging and expensive.”

The DFS said it also found that the decreasing cost of technology in general, while helpful to legitimate business entities, also “makes it easier and cheaper for cyber criminals to disrupt systems and obtain access to protected data.”

And, the DFS said its survey found that PII and PHI are becoming more valuable on the black market, which increases incentives for cyber attacks.”

The report was based on a survey of cyber security at a significant cross-section of regulated insurance companies during 2013 and 2014. A total of 43 entities, with combined assets of approximately $3.2 trillion, completed a survey seeking information about each participant’s cyber security program, costs and future plans, the DFS said.

Of the total 43 insurance providers that completed the DFS’ cyber security questionnaire, 21 were health insurance providers, 12 were property and casualty insurance providers, and 10 were life insurance providers, the DFS said. The reported assets of each entity surveyed range from approximately $4 million to $403 billion, the report said.

The National Association of Insurance Commissioners (NAIC) also jumped into the issue on Friday after the Anthem disclosure. The group called for a multi-state examination of Anthem and its affiliates.

Within hours, the insurance commissioners of California and Florida said they would take the lead in conducting such an examination. Monica Lindeen, NAIC president and Montana commissioner of Securities and Insurance, added that given the potential scope of the breach and the number of affected consumers, the NAIC anticipates all 56 states and territories will sign on to the examinations, which will be inclusive of all subsidiaries and affiliates of Anthem affected by the breach. Lindeen said states with significant Anthem business are expected to take the lead: Indiana, California, Missouri, Maine and New Hampshire.

InsuranceNewsNet Washington Bureau Chief Arthur D. Postal has covered regulatory and legislative issues for more than 30 years. He can be reached at [email protected].

© Entire contents copyright 2015 by InsuranceNewsNet.com Inc. All rights reserved. No part of this article may be reprinted without the expressed written consent from InsuranceNewsNet.com.