American Council of Life Insurers Issues Public Comment to Homeland Security

TARGETED NEWS SERVICE (founded 2004) features non-partisan 'edited journalism' news briefs and information for news organizations, public policy groups and individuals; as well as 'gathered' public policy information, including news releases, reports, speeches. For more information contact MYRON STRUCK, editor, [email protected], Springfield, Virginia; 703/304-1897; https://targetednews.com

WASHINGTON, Nov. 24 -- The American Council of Life Insurers has issued a public comment to the U.S. Department of Homeland Security. The comment was written on Nov. 14, 2022, and posted on Nov. 15, 2022.

The comment, on Docket No. CISA-2022-0010, was sent to Todd Klessman, rulemaking team lead of the Cybersecurity and Infrastructure Security Agency.

* * *

The American Council of Life Insurers (ACLI)/1 appreciates the opportunity to respond to CISA's request for information (RFI) in advance of its Notice of Proposed Rulemaking (NPRM). The ACLI acknowledges the threat cyber incidents, including ransomware attacks, can pose to national and economic security. We support the work CISA is doing to combat this threat through coordinated, appropriate national cyber incident and ransom payment reporting and hope our comments and suggestions prove useful.

INTRODUCTION

Insurance companies have robust data security programs in recognition of their affirmative obligation to protect the security of their customers' personal information and the information systems on which such information is stored. ACLI urges CISA to consider the state cybersecurity regulation of insurers, as well as CIRCIA's risk-based approach to determining inclusion, and exclude insurers from reporting obligations under CIRCIA.

STATE REGULATION OF THE INSURANCE INDUSTRY

* Presidential Policy Directive/PPD-21/2 states, "Each critical infrastructure sector has unique characteristics, operating models, and risk profiles that benefit from a sector identified Sector-Specific Agency that has institutional knowledge and specialized expertise about the sector." This is especially true of the insurance industry.

* Primarily regulated by the states, the insurance industry is a unique subset of the financial services sector. The McCarran-Ferguson Act of 1945 exempts the regulation of insurance from most federal regulation. The McCarran-Ferguson Act declared "that the continued regulation and taxation by the several States of the business of insurance is in the public interest, and that silence on the part of the Congress shall not be construed to impose any barrier to the regulation or taxation of such business by the several states." It stated that from then on, "no...

1 The American Council of Life Insurers (ACLI) is the leading trade association driving public policy and advocacy on behalf of the life insurance industry. 90 million American families rely on the life insurance industry for financial protection and retirement security. ACLI's member companies are dedicated to protecting consumers' financial wellbeing through life insurance, annuities, retirement plans, long-term care insurance, disability income insurance, reinsurance, and dental, vision and other supplemental benefits. ACLI's 280 member companies represent 95 percent of industry assets in the United States.

2 Presidential Policy Directive/PPD-21

* * *

...Act of Congress shall be construed to invalidate, impair, or supersede any law enacted by any state for the purpose of regulating the business of insurance."/3

* For decades, states have operated an interconnected, yet independent regulatory system to govern all aspects of the insurance business, including cybersecurity. All 50 states and DC have insurer-specific data security breach notification requirements./4

* 21 of those states have enacted a version of the National Association of Insurance Commissioners' (NAIC)/5 Insurance Data Security Model Law./6

Adopted by the NAIC in 2017, the Model Law builds on the existing broad regulatory authority vested in state insurance regulators and establishes standards for data security. Moreover, it provides standards for the investigation of and notification to a state insurance commissioner of a cybersecurity event. Like CIRCIA, the Model Law requires a 72-hour timeline to report cybersecurity events.

* The National Association of Insurance Commissioners (NAIC) recognizes cybersecurity as a priority in the insurance industry.7 The NAIC's Innovation, Cybersecurity, and Technology (H) Committee/8 provides a forum for state insurance regulators to discuss cybersecurity, monitor developments, coordinate NAIC cybersecurity efforts across other committees, make recommendations, and develop regulatory, statutory, or guidance updates.

* The NAIC provides several tools to assist state regulators in managing cybersecurity in the insurance industry./9

These tools include the Principles for Effective Cybersecurity: Insurance Regulatory Guidance,/10 Financial Condition Examiners Handbook, Market Regulation Handbook, and the Cybersecurity Vulnerability Response Plan.

* ACLI requests that CISA consider the established state-based insurance regulatory system, as well as the current comprehensive oversight of cybersecurity in the insurance industry, when drafting regulations promulgated under CIRCIA.

DEFINITIONS, CRITERIA, AND SCOPE OF REGULATORY COVERAGE

* To be effective, CISA must remain within CIRCIA's stated boundaries and develop regulations that filter the wide range of cyber incidents occurring in our country to focus on those posing the greatest threat to economic and national security. Reporting cyber incidents and ransom payments to CISA is most beneficial when CISA's response is accurate, actionable, and useful. Broad inclusion will overwhelm CISA's investigation resources, thereby reducing its effectiveness in disrupting threat actors.

Covered Entity

3 https://content.naic.org/cipr-topics/mccarran-ferguson-act

4 A copy of the ACLI Security Breach Law Survey is available to CISA upon request. The Law Survey includes the definition of cybersecurity breach, the notification trigger and requirements, the enforcement authority, and other unique provisions in effect in each of the 50 states, DC, and Puerto Rico.

5 The National Association of Insurance Commissioners (NAIC) provides expertise, data, and analysis for insurance commissioners to effectively regulate the industry and protect consumers. Founded in 1871, the U.S. standard-setting organization is governed by the chief insurance regulators from the 50 states, the District of Columbia, and five U.S. territories to coordinate regulation of multistate insurers.

6 https://content.naic.org/sites/default/files/inline-files/MDL-668.pdf

7 https://content.naic.org/cipr-topics/cybersecurity

8 https://content.naic.org/cmte_h.htm

9 NAIC Summary of Cybersecurity Tools

10 NAIC Principles for Effective Cybersecurity: Insurance Regulatory Guidance

* * 8

* Not all entities categorized as part of a critical infrastructure sector should be considered "covered entities." CIRCIA gives CISA leeway in defining "covered entity" so long as it is an entity in a critical infrastructure sector, as defined in Presidential Policy Directive 21.

* ACLI believes that any new federal regulations should not needlessly duplicate the states' oversight efforts nor the cybersecurity reporting requirements with which insurers already must comply under existing law. In determining the criteria for a "covered entity," it is imperative that CISA factor in the extent to which an industry is subject to existing cybersecurity regulation and notification requirements, whether it be at the state or federal level.

* Keeping the initial categorization of "covered entity" narrow will also allow time to test the reporting process and scale up capacity, if necessary. Limiting the initial "covered entity" categorization will conserve CISA's resources for the extensive work needed to coordinate reporting requirements and establish sharing agreements with other federal agencies.

* The definition of "covered entity" must incorporate the elements contained in Section 2242 (c)(1). The elements include "(A) the consequences that disruption to or compromise of such an entity could cause to national security, economic security, or public health and safety; (B) the likelihood that such an entity may be targeted by a malicious cyber actor, including a foreign country; and (C) the extent to which damage, disruption, or unauthorized access to such an entity, including the accessing of sensitive cybersecurity vulnerability information or penetration testing tools or techniques, will likely enable the disruption of the reliable operation of critical infrastructure."

* These elements create a risk-based approach in determining what is considered a "covered entity." Of these elements, the probability a disruption to an entity could harm national and economic security is likely the most restrictive. As such, it should be used as key criteria in determining whether an entity is "covered." ACLI suggests CISA focus on those financial service companies that provide core financial products or services where a compromise of its information or information systems would be a threat to national and economic security.

* While insurers are an important component of our nation's critical infrastructure, its products and services are such that a disruption is unlikely to threaten national security and most likely to remain limited to impacts on the insurer and its customers.

* Guidance should be clear about whether an entity is or is not a "covered entity," and therefore subject to CIRCIA reporting requirements. When a cyber incident or ransom attack occurs, entities often must dedicate considerable resources to mitigating the incident. Attempting to determine whether an entity is subject to reporting requirements during this time is not the best use of resources, nor is it in the best interest of the entity's customers or national security.

* Given the interconnectedness of businesses, CISA should take practical consideration of third-party service providers, including cloud service providers, when establishing the criteria for a "covered entity." A cyber attack that exploits the concentration risk of third-party service providers would impact entire industry sectors.

* CISA should also account for the contractual agreements between covered entities and their third-party service providers. Many of these contractual agreements include a cybersecurity notification provision, including the respective notification responsibilities of the contracting parties. The regulations should be structured to limit the number of entities reporting the same covered incident. Moreover, covered entities should only be required to report to the extent they are affected by a covered cyber incident.

* Finally, we point out that certain terms, including "third-party service provider" could be defined and understood differently in different industry sectors. All terms should be clearly defined for the purposes of the regulations promulgated under CIRCIA. Where practicable, such definitions and terms should align with a well-regarded, pre-existing standard, such as those developed by the National Institute of Standards and Technology (NIST)./11

Covered Cyber Incident

* Clear guidance on the criteria for a "covered cyber incident" designation will help identify and prioritize the highest risk cyber incidents for CISA's evaluation. This guidance should not be prescriptive. Instead, such criteria should be flexible, risk-based, and considerate of a covered entity's particular risk profile.

* While incorporating the elements contained in Section 2242 (c)(2), CIRCIA's criteria for a "covered cyber incident" should set a high threshold for reporting and only include the reporting of cyber incidents that are likely to harm the national or economic security of the United States. If a sufficiently high threshold is not set, CISA risks receiving a high volume of reports also received by other federal and state government agencies. This is likely to result in duplicated government response efforts and an inefficient use of resources, sowing confusion and hindering mitigation efforts.

* By establishing a high threshold for reportable incidents, CISA's notification requirements will build upon other, broader reporting requirements, whether state or federal. A tighter focus for the CIRCIA reporting criteria will make it easier to harmonize government efforts by establishing CISA as the preeminent federal government response to those cyber incidents that are likely to harm national and economic security.

* Per CIRCIA Section 2240 (6), any requirements to notify CISA of a cyber incident should apply only to events that actually jeopardize information on information systems or information systems. Potential or imminent jeopardy does not meet this standard.

* Regulations that incorporate a risk of harm analysis to critical infrastructure, as laid out in Section 2242 (c)(2) will help to ensure only those cyber incidents which lead to a substantial loss of confidentiality, integrity, or availability of information or an information system are required to be reported. This substantial impact should be measured by its likelihood to harm national or economic security. Tying the criteria for a "covered entity" as well as a "covered cyber incident" to impact on national and economic security aligns these terms and makes clear the standards for reporting under CIRCIA.

* Where there is no disruption to business operations, CISA should consider clearly excluding incidents where there has been a determination that information was not viewed, accessed, or acquired. For example, where there is no disruption to business operations, a "covered cyber incident" should not include the unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization. Further, the definition should specify that such information is nonpublic, electronic information in the possession of a covered entity.

* The regulations should account for the good faith judgment of covered entities in determining whether a cyber incident meets the criteria of a "covered cyber incident."

11 As part of the U.S. Department of Commerce, NIST develops cybersecurity standards, guidelines, best practices, and other resources to meet the needs of U.S. industry, federal agencies, and the broader public.

* * *

REPORT CONTENTS AND SUBMISSION PROCEDURES

Covered Cyber Incident and Ransom Payment Reports

* ACLI recommends a standardized, streamlined reporting method. While a designated portal for standardized submissions is ideal, it is possible covered entities will need access to alternative secure reporting methods, which should be available when necessary.

* When a cybersecurity event is occurring, a covered entity's goal is to mitigate the event, fix the vulnerability, and communicate with impacted stakeholders and customers. Notification of a covered cyber incident or ransom payment should contain only the most pertinent information, restricted to those delineated in Section 2242 (c)(4), to conserve covered entities' resources for mitigation. Any material, new information, or material changes to the information included in the initial notification to CISA, can be provided in a supplemental report.

* Insisting on comprehensive information in the notification can lead to both under and overstating the significance of a covered cyber incident.

* CISA must consider the sensitive nature of the information included in an incident report and develop a clear set of principles to govern how they protect and use the data they collect, as well as with whom it will be shared.

* As a repository for the sensitive information and security vulnerabilities of covered entities, CISA will become a prime target of bad actors. CISA must develop mitigation strategies to ease this concentration risk. It is vital that CISA not require, share, or retain information in such a way that it provides a roadmap for bad actors to exploit vulnerabilities in United States critical infrastructure.

Reasonable Belief And 72-Hour Reporting Timeline

* CIRCIA states, "A covered entity that experiences a covered cyber incident shall report the covered cyber incident to the Agency not later than 72 hours after the covered entity reasonably believes that the covered cyber incident has occurred."

* The "reasonable belief trigger" must constitute actual reasonable belief that a confirmed cyber incident meets the threshold criteria of "covered cyber incident." It is also important to recognize that it can take time to determine whether an incident has met the threshold of a covered cyber incident. It is in CISA's, and ultimately the nation's, best interest to receive accurate information. Accuracy must not suffer in a misplaced preference for timeliness.

* When determining "reasonable belief," CISA should recognize that, particularly for less resourced entities, incidents that may occur over a weekend or on a holiday may not be discovered or fully investigated until the next business day.

* CISA should also note that due to the broad trigger criteria in some other federal and state government agency reporting requirements, CISA might not receive the first report of an incident. It's imperative that CISA recognize the varying reporting triggers that many entities must currently interpret when complying with a range of cybersecurity reporting requirements.

* Covered entities, who in good faith do not reasonably believe a covered cyber incident has occurred, should not be subject to penalty.

Supplemental Reports

* A covered entity's obligation to update CISA about changes to information provided previously only applies if substantial new or different information becomes available or if the covered entity makes a ransom payment.

* Substantial new or different information should be defined as information that has a material impact on specified concepts such as intent, IOC/TTPs,/12 consequences to national and economic security, or the reliable operation of critical infrastructure.

* A covered entity should have no obligation to update information provided previously if the changes to that information are not material.

Balancing Reporting Requirements with Investigation

* Requirements for reporting substantial cyber incidents must be considerate of the focused emergency efforts of covered entities along the lifecycle of the security incident response process. Regulator reporting requirements within the identification, containment, or eradication phases of incident response divert attention from the focused acts of minimizing the impact of the incident.

* Reporting requirements will have an outsized impact on smaller covered entities with fewer resources to devote to both reporting and investigation and mitigation.

OTHER INCIDENT REPORTING REQUIREMENTS AND SECURITY VULNERABILITY INFORMATION SHARING

Existing Or Proposed Federal Or State Reporting Regulations and Directives

* In November 2021, the Board of Governors of the Federal Reserve System (FRB), the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) published a rule imposing notification requirements on banking organizations and bank service providers not later than 36 hours after certain "computer-security incidents" that may materially and adversely impact the banking organization. Notification requirements include those related to a non-bank affiliate insurer./13

* Many of ACLI's member companies sell vision, dental, and long-term care insurance, and may be subject to HIPAA's federal cybersecurity reporting requirement. HIPAA mandates that if a data breach occurs which exposes the personal health information of more than 500 individuals, the Department of Health and Human Services' Office for Civil Rights must be notified "without unreasonable delay," and certainly within 60 days of the discovery of the breach./14

* Insurers also report under the Payment Card Industry Data Security Standard (PCI DSS),/15 which establishes cybersecurity controls and business practices that any company that accepts credit card payments must implement. Per the PCI DSS, merchants have an obligation to notify their payment processor of any breach.

* The Securities and Exchange Commission (SEC) is in the process of rulemaking for regulations requiring registered investment companies (which includes insurance company separate accounts), investment advisors, and registrants under the 1934 Act to notify the Commission of "significant/material cybersecurity incidents." If passed in anything close to their current form,...

12 Indicator of Compromise (IOC)/Tactics, Techniques, and Procedures (TTPs)

13 86 FR 66424. The rule also requires certain bank service providers to notify each affected institution after experiencing a certain computer-security incidents.

14 45 CFR Secs. 164.400-414.

15 https://www.pcisecuritystandards.org/standards/

* * *

...the two SEC rules would require cyber incident reports, along with notices to clients, public filings, and ongoing disclosures./16

* Insurance companies comply with voluntary cybersecurity notification requirements as well. These voluntary cybersecurity notification requirements include those to the Federal Bureau of Investigation and the Financial Services Information Sharing and Analysis Center (FS-ISAC)./17

In addition, many insurers have voluntarily reported to CISA for years, seeing CISA as a valuable resource in managing cyber-attacks.

* As previously discussed in this letter, insurers are subject to cybersecurity oversight and reporting requirements in all fifty states, DC, and Puerto Rico.

* Managing multiple federal and state cybersecurity regulatory requirements is extremely burdensome if reporting is not harmonized between federal agencies or duplicates the states' cybersecurity oversight.

Substantially Similar Reported Information and Timeframe

* Layering substantially similar cyber incident notification obligations on covered entities will hinder CISA's efforts to coordinate a response to cybersecurity incidents that may harm national and economic security or disrupt critical infrastructure.

* Robust sharing agreements will go far in alleviating the burden on covered entities that are currently subject to multiple reporting obligations.

* Section 2242 (a)(5)(B) provides that covered entities may be exempt from reporting under CIRICA if the covered entity is also required to report substantially similar information to another federal agency within a substantially similar timeframe. The exemption only takes effect once an agency agreement and sharing mechanism are in place between CISA and the respective federal agency.

* Clarifying the terms "substantially similar information" and "substantially similar timeframe," as well as setting up these agency agreements and sharing mechanisms, should be a top priority for CISA. We recommend CISA have as many agreements and sharing mechanisms in place as possible when the regulations promulgated under CIRCIA become effective. Any sharing mechanism should assure the durability of the interagency agreements creating the preemption. As administrations change, along with government agency heads, the sharing mechanisms should be relied upon to remain intact. Sharing mechanisms should also eliminate the need to report in multiple formats.

* Moreover, CISA should consider its concurrent or separate jurisdiction with the Department of Justice. Covered entities will need guidance on how to proceed if compliance with CIRCIA reporting requirements will interfere with an active criminal investigation. Covered entities that comply with reporting requirements should be afforded a safe harbor from civil and criminal legal jeopardy.

CONCLUSION

16 87 FR 16590.

17 FS-ISAC's mission is to help ensure the resilience and continuity of the global financial services infrastructure against acts that could significantly impact the sector's ability to provide services critical to the orderly function of the global economy.

* * *

A targeted, coordinated approach to federal cybersecurity notification requirements will help to ensure that businesses within United States critical infrastructure can focus their resources on preventing and mitigating cyber incidents. The regulations promulgated under CIRCIA should establish a high threshold for reporting that does not duplicate the reporting requirements of other federal agencies and the states. In assessing whether an insurer is classified as a "covered entity," ACLI encourages CISA to consider the comprehensive cyber incident reporting requirements under the state insurance regulatory system, in combination with CIRCIA's risk-based approach in Section 2242 (c)(1), and exclude insurers. The ACLI respectfully submits these comments on behalf of its member companies and would be happy to discuss our comments or answer any questions.

Sincerely,

Chanda Brady

Associate Director, Cybersecurity Working Group Lead, ACLI

* * *

Original text here: https://downloads.regulations.gov/CISA-2022-0010-0095/attachment_1.pdf