What insurance organizations can do now to prepare for state regulatory cybersecurity initiatives

Within the last several months, two significant insurance organizations have announced greater involvement in initiatives to reduce cybersecurity risk throughout the insurance industry. The New York State Department of Financial Services (NY DFS) released the results of its survey on cybersecurity practices and the National Association of Insurance Commissioners (NAIC) recently adopted a set of cybersecurity regulatory principles.

Taken together, these initiatives signal that state regulators are increasingly concerned about cybersecurity risks and are preparing to put greater emphasis on them in the years ahead. Instead of waiting, insurers should take steps now to address the common themes that have emerged.

Preparing your organization

#1 Ensure that cybersecurity is considered in your top-down governance programs, such as ERM.

Cybersecurity is not purely a technical issue, rather it is a business issue. Any business decision (e.g., offering a new service or product, utilizing a third party service, acquiring a new business) may significantly increase an organization’s cyber-risk. As a result, cyber-risk needs to be considered in light of corporate strategy, customer service, public relations, and other areas.

Both the NY DFS and the NAIC have said that they expect cybersecurity risks and mitigating steps to be included in ERM programs.

#2 Consider the use of the National Institute of Standards (NIST) cybersecurity framework.

The NAIC has explicitly called for the use of a flexible, scalable, practical framework (e.g., NIST), that is consistent with nationally recognized efforts. The NIST framework meets that requirement, is intended to be used across industries, and allows for flexibility given an organization’s risk, size, and complexity.

We have found the use of a cybersecurity framework like NIST to be very beneficial:

• It provides excellent coverage across all of the areas of cybersecurity processes, from cyber-risk assessment to incident response management and cybersecurity countermeasures. This allows you to use the significant investment made by NIST to develop the framework.
• As a framework accepted by many in the marketplace, using it is another means of displaying that a sound, measured process is being used to address cybersecurity risk.

#3 Join an information sharing and analysis organization (ISAO)

Both the NY DFS and the NAIC have called on insurers to join an information sharing and analysis organization such as the Financial Services Information Sharing and Analysis Center (FSISAC). FSISAC is a not-for-profit organization meant to facilitate sharing of credible threat intelligence. It has a range of membership and fee options from which to choose.

#4 Third-party management

Both the NY DFS and the NAIC have said that management of third parties entrusted with sensitive information needs to be a component of an insurer’s cybersecurity program. Regulators will expect to see provisions for:

• Contractual commitments requiring that third parties have cybersecurity controls and breach notification in place
• Robust oversight program by insurers for their third parties

Good business sense

Whether insurers put increased focus on cybersecurity risk to meet the requirements of state regulators or to reduce their exposure to reputational, financial, or operational risks, these actions make good business sense given the current threat environment faced by the insurance industry.

For more information on this topic, or to learn how Baker Tilly’s insurance industry specialists can help, contact our team.