On February 8, 2015, the New York Department of Financial Services (NYDFS) issued its Report on Cyber Security in the Insurance Sector (the Report).  The Report comes at a time of increased scrutiny of cyber security by various regulators as well as significant cyber-attacks against businesses, including a recent major attack against health insurance company Anthem Inc. that led to the exposure of confidential personal information of up to 80 million US residents.  Although the NYDFS press release accompanying the report cites the Anthem cyber-attack as a red flag for other insurers, the Report is part of a broad review by NYDFS of cyber security and cyber preparedness of the financial industry and is based on work that began well before the Anthem issues surfaced.  

Sophisticated threats

The Report principally draws on the results of a survey conducted by NYDFS of 43 New York regulated insurers, including 21 health insurers, 12 property and casualty insurers, and 10 life insurers with reported asset sizes ranging from $4m to $403b.  The survey asked about various cyber security issues such as the insurer’s cyber security programs, costs and future plans in relation to cyber security.  Most survey respondents reported that they continued to be challenged by the sophistication of cyber security threats and the speed at which technology is changing.  The Report noted that only 14 percent of chief executive officers receive monthly briefings on information security, and that although 95 percent of responders believe that they have adequate staffing levels for information security, only around half consider their current practices to be adequate to address new and emerging cyber risks.  

More regulatory focus

While the Report did not reveal new cyber security policy or rule-making, NYDFS did note that it is in the process of developing enhanced regulations.  The Report advises that, in addition to seeking to impose heightened standards generally, any new rules may include stronger measures related to the representations and warranties insurance companies receive from third-party vendors.  NYDFS has also suggested that the recently introduced requirement for insurers to file an annual enterprise risk management report (the purpose of which is to identify material risks to the insurers’ ongoing operations) will be developed further so as to require a more explicit focus on cyber security measures.

Organic response

In the Report, NYDFS notes that it seeks to better understand the emerging cyber insurance market in order to consider the ways in which the regulator can better support and encourage its growth, both in principle and with a view to harnessing it to secure higher cyber security standards across the financial services market generally.  To date, the cyber insurance industry has developed organically such that policies are sold under a variety of different titles and forms with varying limitations and exclusions.

State of urgency

In addition to NYDFS, other US state insurance regulators have also recently become much more focused on cyber security and cyber insurance issues.  The US National Association of Insurance Commissioners (NAIC) created the Cybersecurity (EX) Task Force in November of last year.  The task force will monitor developments regarding cyber security and make recommendations on such issues.  In light of the Anthem cyber-attack, the NAIC announced that it expects all US states and territories to urgently review best practices for cyber security and determine whether regulatory action is warranted across the wider insurance industry.  

Cyber intelligence

These developments in New York, other states and at the NAIC come at the same time as other US regulators are also focused on cyber security.  In early February, the US Securities and Exchange Commission released a “Risk Alert” (as part of its wider “Cybersecurity Examination Initiative”) and the US Financial Industry Regulatory Authority released a related report titled “Report on Cybersecurity Practices”; both address the legal, regulatory, and compliance issues associated with cyber security of broker-dealers and investment advisers and the general vulnerability of the securities industry.  Also in early February, US President Obama announced the establishment of a centralized intelligence gathering agency for cyber security matters (to be known as the Cyber Threat Intelligence Integration Center), which is intended to integrate cyber intelligence gathering across government law enforcement agencies beginning later this year.

Insurance company action

Given the significant potential losses and harm to the insurance industry from cyber security breaches, bolstering cyber security is likely to remain at the forefront of regulatory priorities both in the US and globally in coming years.  The insurance industry will need to respond both to the cyber security threats but also to the heightened standards to which regulators will hold them to account.  

Author: Vikram Sidhu is a New York-based partner in Clyde & Co focusing on insurance and reinsurance corporate, finance and regulatory matters, mergers and acquisitions, and general corporate and commercial matters.