Benjamin M. Lawsky, Superintendent of Financial Services, today announced the release of a Department of Financial Services (DFS) report on cyber security in the insurance industry and a series of measures that DFS will take to help strengthen cyber hacking defenses at insurers.In the coming weeks and months, DFS will integrate regular, targeted assessments of cyber security preparedness at insurance companies as part of the Department's examination process; put forward enhanced regulations requiring institutions to meet heightened standards for cyber security; and examine stronger measures related to the representations and warranties insurance companies receive from third-party vendors, among other measures.
Superintendent Lawsky said: "Recent cyber security breaches should serve as a stern wake up call for insurers and other financial institutions to strengthen their cyber defenses. Those companies are entrusted with a virtual treasure trove of sensitive customer information that is an inviting target for hackers. Regulators and private sector companies must both redouble their efforts and move aggressively to help safeguard this consumer data."
DFS conducted a survey with respect to cyber security at a significant cross-section of its regulated insurance companies. A total of 43 entities, with combined assets of approximately $3.2 trillion, completed a survey seeking information about each participant's cyber security program, costs, and future plans.
Notably, the Department's analysis of the insurers surveyed found that a wide array of factors - not just reported assets - affect the sophistication and comprehensiveness of the insurers' cyber security programs. In other words, although it may be expected that the largest insurers would have the most robust and sophisticated cyber defenses, the Department did not necessarily find that to be the case.
Moreover, the Department found that 95 percent of insurers already believe that they have adequate staffing levels for information security and only 14 percent of chief executive officers receive monthly briefings on information security. Recent cyber security breaches at financial institutions and other major corporations should serve as a wake up call for insurers to strengthen their cyber defenses - particularly given the level of sensitive consumer information that insurers are entrusted with handling.
In addition to today's report and actions related to the insurance industry, DFS has also taken a series of steps to help strengthen cyber security in the banking sector. In December 2014, DFS issued industry guidance to all its regulated banks outlining the specific issues and factors on which those institutions will be examined as part of new targeted, DFS cyber security preparedness assessments. Among other factors, banks will be examined on their protocols for the detection of cyber breaches and penetration testing; corporate governance related to cyber security; their defenses against breaches, including multi-factor authentication; and the security of their third-party vendors.
DFS has also issued a consumer alert for Anthem (the owner of Empire Blue Cross Blue Shield) in light of the recent data breach at that company. There are more than 4 million Empire Blue Cross Blue Shield customers in New York.