Cybersecurity and technology represent immense challenges and opportunities for all insurers and financial services companies. Organizations need to protect sensitive information and customer data to the greatest extent possible, and to recover as quickly as possible in the event of a breach.
Insurance companies store large amounts of personal information about their policyholders. Cybercriminals know this, and have been increasingly targeting insurers. The past two years have seen a dramatic increase in successful cyberattacks, exposing the personally-identifiable information of more than 100 million Americans. As a result, state insurance regulators have been looking for ways to protect consumers and ensure the integrity of the industry. This month, New York became the first state to adopt cybersecurity guidelines. And the National Association of Insurance Commissioners (NAIC) is working towards completing its Data Security Model Law.
As former President of the National Association of Insurance Commissioners (NAIC) and Chairman of the NAIC’s National Cybersecurity Task Force, I had the opportunity to help shape the NAIC draft, which is covered at length in Cybersecurity Regulatory Issues in the Insurance Industry, a white paper I co-authored with my new colleagues in the Risk and Compliance and Information Security practices at Protiviti.
With the New York regulation in place and the NAIC model moving towards completion and subsequent adoption by states, it is important for insurers to anticipate the increased rigor in this area on future examinations and take steps now to identify and mitigate possible compliance gaps. To begin with, insurers should ask themselves the following questions:
- Right now, how well will we perform on a statutory or targeted financial exam that includes a review of our cybersecurity posture and data security?
- If licensed in New York, how well will we perform on a NYDFS review of our cybersecurity processes and protocols?
- Once the NAIC model is in place, how well will we perform on a state review or examination of our cybersecurity processes and protocols?
- If we sell cyber liability insurance products, will the information we are now required to disclose to insurance regulators raise any questions, and are we prepared to address them?
There are four basic steps every organization can take now to answer these questions:
- Self-analysis — Conduct a comprehensive risk analysis to determine the organization’s unique cybersecurity risk profile. This should include any and all risks posed by third-party vendors with access to policyholder data.
- Crown jewels — Identify what is the most valuable and sensitive data in your company’s possession, and in the care of third-party vendors. Determine what systems are in place to guard and defend that data, wherever it resides, against cyber intrusion.
- Detection — Review and evaluate all processes and procedures in place to detect system breaches and to prevent data theft. Detection should take place as close to real time as possible. Detecting a breach after the data is gone is not a position you want to be in.
- Response — Review, or develop, an incident response plan. A good plan serves as a playbook, with specific protocols for risk management, recovery, regulatory notification and customer communications.
The time for insurers to make sure they are covered in these four areas and can answer the four questions is now. Cybersecurity oversight by insurance regulators is imminent, and it is highly unlikely that regulators will be looking at the efforts as merely a “check-the-box” exercise. As always, it is much better to find and fix any gaps early, before they show up on an examiner’s report.
The truth is that if your organization has not looked at these areas already, it may be exposed to a preventable cybersecurity threat. There is absolutely no benefit in waiting until the next exam to give cybersecurity preparedness a critical look.
For additional background and analysis of the upcoming NAIC model, download our white paper here.