If you're an insurance company, it may be time to open your cyber-related checkbooks if you haven't done so already. New York Governor Andrew Cuomo's Department of Financial Services ("NYSDF") soon may be watching you. They're already asking questions as if certain insurers were "persons of interest," just as it did earlier this year with certain of the larger banks.
On May 28, the NYSDF sent what are referred to as "308 letters" to 31 regulated health, life and general liability insurance companies (seemingly those with the highest premium revenue). The NYSDF's letters request information on (1) the insurers' existing IT-related management policies and procedures with respect to the prevention of cyber attacks, (2) actual cyber attacks occurring within the past three years, (3) the quantum of funds and resources dedicated to cybersecurity, and (4) how they safeguard customers' and business entities' health and personally identifiable information (the letters specifically identify financial information as a subject category).
Responses to the NYSDF's 308 letters are not discretionary. Rather, the target insurers are required New York law to respond to the regulator's inquiry.
According to Governor Cuomo, the extraordinarily sensitive health, personal, and financial information that New Yorkers residents entrusts to their insurance companies is a virtual treasure trove for hackers."
So, why exactly is Governor Cuomo training his sights on insurers? Underwriters, brokers and claims professionals know why. I was asked that very question by Reuters for an article published on May 28, literally hours after the NYSDF announced the initiative (here).
Quoting from the Reuters article (with full credit to its author and research team):
"One expert in cyber law said the rigor of the insurance underwriting process meant that insurers know details about lots of companies across a variety of industries a candy store of sorts for hackers looking for ways to attack Corporate America.
If I'm going to become your insurer, I want to make sure you are going to be a good risk. I need to strip apart your business," said Richard Bortnick, a Philadelphia-based attorney."
Insurance companies and underwriters compile reams of information about prospective policyholders, including health, financial and other personal details, histories of claims, potential claims and wrongful acts, and so on. Its all there. And many of the larger insurers have moved to virtual platforms where all information is stored on servers. Remote servers. Which, hopefully, are owned by cloud providers and others protected by ... cyber insurance. (I trust all of my readers knew that was coming).
Needless to say, Governor Cuomo's investigation into the insurance sector is just one more example of how regulators are going to force corporate America and others to lock-down their systems and employ robust risk management, loss prevention, risk transfer, and incident response programs.
I've been singing this song for quite a while (and many of you were growing weary of hearing me say it, as was I, actually). And Governor Cuomo has provided further evidence that time is growing short before information protection regulations are enacted across the globe.
Once that happens, those companies which did not implement cyber-related best practices will become reactive rather than proactive (which, from my experience, means you pay me more later than you would have paid yesterday before the cyber incident occurred). The SEC issued its Cyber Guidance in October 2011. The FTC has been increasingly proactive. Anyone paying attention is concerned about infrastructure and the possibility of expanded cyber warfare (if you are of the view that the cyber war already has begun). And cyber breaches are reportedly daily.
Simply stated, the planning, implementation and execution of cyber-related best practices will take time and attention. It does not happen overnight or even in some cases in 365 overnights. In my view, its time to turn the lights on and see what's there and how we adjust it to meet the evolving and rapidly changing regulatory climate. Waiting is simply delaying the inevitable. And if there is going to be an inevitability, it should be on your terms, not a regulator's.