Within the last several months, two significant insurance organizations have announced greater involvement in initiatives to reduce cybersecurity risk throughout the insurance industry. The New York State Department of Financial Services (NY DFS) released the results of its survey on cybersecurity practices and the National Association of Insurance Commissioners (NAIC) recently adopted a set of cybersecurity regulatory principles.
Taken together, these initiatives signal that state regulators are increasingly concerned about cybersecurity risks and are preparing to put greater emphasis on them in the years ahead. Instead of waiting, insurers should take steps now to address the common themes that have emerged.
Cybersecurity is not purely a technical issue, rather it is a business issue. Any business decision (e.g., offering a new service or product, utilizing a third party service, acquiring a new business) may significantly increase an organization’s cyber-risk. As a result, cyber-risk needs to be considered in light of corporate strategy, customer service, public relations, and other areas.
Both the NY DFS and the NAIC have said that they expect cybersecurity risks and mitigating steps to be included in ERM programs.
The NAIC has explicitly called for the use of a flexible, scalable, practical framework (e.g., NIST), that is consistent with nationally recognized efforts. The NIST framework meets that requirement, is intended to be used across industries, and allows for flexibility given an organization’s risk, size, and complexity.
We have found the use of a cybersecurity framework like NIST to be very beneficial:
Both the NY DFS and the NAIC have called on insurers to join an information sharing and analysis organization such as the Financial Services Information Sharing and Analysis Center (FSISAC). FSISAC is a not-for-profit organization meant to facilitate sharing of credible threat intelligence. It has a range of membership and fee options from which to choose.
Both the NY DFS and the NAIC have said that management of third parties entrusted with sensitive information needs to be a component of an insurer’s cybersecurity program. Regulators will expect to see provisions for:
Whether insurers put increased focus on cybersecurity risk to meet the requirements of state regulators or to reduce their exposure to reputational, financial, or operational risks, these actions make good business sense given the current threat environment faced by the insurance industry.
For more information on this topic, or to learn how Baker Tilly’s insurance industry specialists can help, contact our team.