The good news is that if you comply with the New York DFS Cyber Rules, you're well-positioned for complying with other state cybersecurity regulations.
The Cybersecurity Model Audit Rule recently issued by the National Association of Insurance Commissioners (NAIC) gives guidance to other state regulators for how to craft cybersecurity regulations, and was designed to complement New York's DFS cybersecurity requirement.
To the extent that other states adopt the NAIC's recommendations, insurance companies will be on the right path to achieving cybersecurity compliance in multiple states.
Experts urge insurance companies to look at New York DFS compliance in parallel with NAIC compliance, and consider the various implementation deadlines that are included in the New York DFS guidance.
Here are some steps that insurance companies were to have completed for the March 1, 2018, which was the New York DFS implementation deadline:
Step One: Your chief information security officers (CISOs) should have presented a cybersecurity annual report to their respective boards (or senior management team if there is not a board) that includes details on their cybersecurity programs and outlines any material cybersecurity risks. It's important that these annual reports paint a clear picture by including both quantitative and qualitative aspects that depict the organization's overall cybersecurity program and posture. Metrics are essential, but you also need to explain exactly what the metrics mean and what the impact is on the organization.
Step Two: Insurers should have completed their cybersecurity risk assessments. Several of the other components of the New York DFS Cyber Rules rely upon results of the risk assessment, which makes it a linchpin for overall compliance. In turn, an accurate risk assessment relies upon the firm having done a thorough asset inventory. Any firm that hasn't completed its asset inventory to a sufficient degree of detail may not be in compliance with the regulation and takes a chance that risk assessment may not be holistic.
Step Three: The DFS cybersecurity regulation calls for annual penetration tests and biannual vulnerability assessments. Think about where your key information assets are located, and then consider how somebody might try to get at them using different kinds of threat vectors. In the P&C insurance context, organizations should go beyond the typical network-level test to include other endpoints and potential points of compromise. Depending upon the structure of the insurance company, this may include insurance agents and claims adjusters using online and offline channels, as well as internet-enabled devices located at commercial or residential sites.
Step Four: Based upon the results of the risk assessment, insurers should have implemented a multifactor or risk-based authentication program. For some insurers, multifactor authentication may not be possible to do because of technical limitations. In these cases, the organization needs to enable other controls and make sure the CISO signs off on their use. Whatever approach you use, the main task is to think through the entire authentication path for each role within the organization and check that the appropriate controls have been put into place for provisioning, authenticating and revoking accounts.
Step Five: Training and monitoring should be put into place. In cybersecurity, people are always the first line of defense. Employee training goes a long way toward building the kind of awareness that prevents cyber attacks from being successful.
With the March deadline behind them, insurers should also look ahead to the next New York DFS implementation deadlines of September 3, 2018, and March 1, 2019.
The September deadline includes audit trails, application security, data retention, activity monitoring and encryption of information. The March 1, 2019, deadline involves security as it relates to third-party service providers. Insurance companies typically maintain networks of agents and brokers, and these third parties collect and manage personally identifiable information (PII) covered by the New York DFS Cyber Rules. Even though agents and brokers may not be company employees, their cybersecurity policies and practices will now be of the utmost concern to insurance companies.
While it's possible that some smaller agents and brokers will be able to opt out of the regulation due to the exemption for the smallest organizations, agents and brokers will, for the most part, be under tremendous pressure from insurers to demonstrate their ability to protect information as expected by regulators. Consequently, we expect the relationship between insurers and their third-party partners to become more formalized.
While for some insurers there may be a focus on catching up to meet the demands of the regulation, we believe that the focus on cybersecurity will ultimately serve the insurance industry by reducing the frequency and severity of cyber attacks and bolstering customer trust in the financial services industry.
Jaime Kahan is a Cybersecurity Principal within the Financial Services Sector of EY focusing on regulation, risk, and control. She can be reached by sending email to [email protected].
See also:
Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
- Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.