On March 26, Superintendent Benjamin Lawsky of the New York Department of Financial Services (NY DFS) issued a letter spelling out a requirement for insurers to provide information related to their cybersecurity programs by April 27. The letter states that the information requested will be used to perform a risk assessment for future inspection activities. The short response time may indicate the great sense of urgency and importance that the State of New York is placing on this initiative.
This latest initiative is one of a series of surveys and draft guidance issued in the past few months by New York and other regulators regarding cybersecurity, and is viewed as reaction to the string of destructive breaches occurring in the US financial services sector.
The NY DFS requirement essentially asks for a hierarchical description of the major components of an insurer’s cybersecurity program:
- Chief Information Security Officer (CISO) job description
- General information security policies
- Vulnerability management programs
- System development life cycle and change control
- Access control, including use of multifactor authentication
- Continuity planning
- Insurance coverage
Superintendent Lawsky also was very clear on priority areas in his talk at the National Association of Insurance Commissioners (NAIC) conference on March 29, 2015:
Third party management
Insurers should have a clear understanding of their data flows into and out of vendors, understand their vendors’ cybersecurity programs, as well as, ascertain vendors’ understanding of cybersecurity programs of their downstream third parties (fourth party service organizations).
Use of multi-factor authentication (MFA) and stronger access controls over removable media needs to become a minimum standard
Passwords are not inherently ineffective; however, they are providing a false sense of security and are becoming part of the problem.
Use of encryption, not only on transmitted data, but especially for data at rest
This addresses the idea of defense in depth – that external sources may be able to get past perimeter defenses so insurers needs to protect the underlying data.
What to do now
We recommend insurers be proactive in providing the requested information and formal responses to NY DFS. Insurance organizations should begin gathering the requested information in a timely manner to allow ample time to provide complete information.
To learn more about this topic, or to learn how Baker Tilly insurance industry specialists can help, contact our team.