State insurance regulators have a dual role in the cybersecurity equation. They are charged with ensuring their licensees are properly safeguarding their customers’ private financial and health data, as well as regulating a rapidly expanding cyber risk insurance market.
While US privacy laws might be contained in a variety of state and federal laws, regulators feel they have the tools to do the job and, in many instances, are employing lessons learned from the industry to promote effective cyber risk management.
According to the National Association of Insurance Commissioners (NAIC), the organization is “carefully monitoring” cybersecurity efforts. As part of its goal of protecting consumer information, NAIC developed a model regulation that establishes standards for insurance entities to meet in order to comply with the information security provisions of 1999’s federal Gramm-Leach-Bliley Act (GLBA).
The model requires each licensee to establish a written information-security program that includes administrative, technical, and physical safeguards for the protection of customers’ nonpublic personal information, appropriate to the size and complexity of the licensee and the nature and scope of its activities. According to the NAIC, programs may include provisions such as “identifying reasonably foreseeable internal or external threats, assessing their likelihood and potential damage, training staff, regularly testing key controls, and exercising due diligence in selecting service providers.”
NAIC staffers also represent state regulators with the President’s Working Group on Financial Markets as part of the Financial Banking Information and Infrastructure Committee.
Regulators also scrutinize insurers’ reliance on information technology to verify that companies have adequate controls and risk management in place.
Individual insurance departments say they’re well aware of the issue.
“The Connecticut Insurance Department has cybersecurity on its radar in all of its company oversight functions including financial solvency and market conduct,” said Donna Tommelleo, spokesperson for the Connecticut Insurance Department. “We recognize this as a serious factor in business sustainability and require companies to share their strategies with us as part of our routine exams. We also take our duty to ensure the confidentiality of our consumers’ information very seriously.”
In New York, Gov. Andrew Cuomo last year joined with Superintendent of Financial Services Benjamin Lawsky to proactively gather information on insurers’ cybersecurity preparation.
“The extraordinarily sensitive health, personal, and financial information that New Yorkers entrust to their insurance companies is a virtual treasure trove for hackers,” said Cuomo. “It’s vital that we stay ahead of the curve on cyber security because we know hackers aren’t going to give us any breathing room.”
Lawsky stated, “Cybersecurity at insurance companies is something that often gets overlooked, but it’s far too important to get caught in a blind spot. We need to make sure that those insurance records are protected from hack attacks that could put New Yorkers at risk.”
A New York survey sought to measure the safeguards insurers have in place; the funds and resources dedicated to cybersecurity; and the IT, governance and internal control policies in place.
The NAIC’s Center for Insurance Policy Research last month hosted a panel discussion with several cybersecurity experts in the both the public and private sectors to gauge the risks the business world is facing and what the role of state insurance regulators will be. Speakers offered a glimpse at the types of cybercrime facing both businesses and consumers and a few indicated insurers are providing a good roadmap for effective cyber risk management.
Mississippi Insurance Commissioner Mike Chaney commented during the discussion that high-profile data breaches show the “stakes are high” for companies and consumers.
“It demonstrates that criminals are becoming more vigilant,” Chaney said.
Brian Peretti, acting director of the United States Treasury Department’s Office of Critical Infrastructure Protection and Compliance Policy, informed insurance commissioners that they are dealing with “more and more sophisticated criminals” exploiting any vulnerability they can find.
“Why?” he asked. “Because they’re criminals. They’re just waiting for the payoff. They can net maybe $2 million to $3 million for one scam. That buys you a lot of Diet Mountain Dew and doughnuts for your basement you’re living in.”
NAIC members were advised to ensure that their licensees are conducting the same level of risk assessment insurers would expect their policyholders to conduct when approaching any type of risk.
Jeremiah Posedel, associate attorney with Drinker Biddle & Reath, informed regulators they are working with several different state and federal laws – a “patchwork of state and federal regulations.”
These outline the liability arising with the loss of consumer data and the remedies required. Loss of private data notifications are generally required within a set time limit that varies by state, but Posedel noted most consumers don’t even accept the credit-monitoring services offered by breached companies. Regardless, those are services frequently paid for through cyber insurance policies.
Adam Sedgewick, senior information technology policy advisor for the National Institute of Standards and Technology (NIST), highlighted the recently released cybersecurity framework for critical infrastructures developed in partnership with businesses and security experts.
“It’s not a problem that can be eliminated,” said Sedgewick. “This is about building an immune system, it’s not about ending the disease.”
Sedgewick said NIST intended with the framework to simplify and group all industry standards and best practices for cybersecurity. The organization, which is not a regulator, named the “highest level functions” any business could do to limit cyber loss ‑ “identify, protect, detect, respond and recover.”
However, researchers at George Mason University recently questioned whether the NIST framework will actually be useful.
“By blindly beating the drums of cyber war and allowing unfocused anxieties to clumsily force a rigid structure onto a complex system, policymakers lose sight of the ‘far broader range of potentially dangerous occurrences involving cyber-means and targets, including failure due to human error, technical problems, and market failure apart from malicious attacks,’” said Eli Dourado and Andrea Castillo, authors of the report. “When most infrastructures are considered ‘critical,’ then none of them really are.”
They added that security threats are frequently changing and can’t be forced neatly into “even the most sophisticated flowcharts.” The GMU researchers also questioned whether the framework will assist at all with the development of a strong cyber insurance market, although that was a goal of the Obama Administration’s executive order requiring the creation of the framework.
Tom Finan, senior cybersecurity strategist with the Department of Homeland Security’s National Protection and Programs Directorate (NPPD), noted that the cyber insurance marketplace faces a series of challenges, mainly in the case of first-party coverage to cover a business’ own losses due to cyber attacks.
“The bottom line is, a persistent lack of actuarial data is preventing the first-party market from really taking off. While it’s nascent, there’s hope that [the executive order] and the framework will help it,” he said during the NAIC event. Companies that are subject to breaches or cyber attacks are reluctant to share details of their financial and data losses.
There is, however, a functional market for third-party cyber insurance coverage, which covers the cost of notifying customers and offering credit monitoring. Finan said there is a “sizable and unfortunately growing” bank of actuarial data to help in pricing this risk. In the absence of actuarial data, insurers are focusing on whether their potential insureds present “an engaged risk culture” when pricing cyber insurance. This could help both regulators looking to ensure pricing is accurate, as well as help companies in every industry address their own risk, he suggested.
“If the insurance industry is looking to how individual companies are managing their risk, then maybe we could discover some lessons learned that could be more broadly applicable to others,” Finan said.
In conversations with insurers, NPPD identified four pillars of an effective risk culture – the role of executive leadership; education and awareness; the role of technology; and information sharing. The goal, according to Finan, is to figure out how to incorporate cyber risk into good risk management and move it “out of the IT silo.”
Brokers say that better insurance prices and terms are already evident in the market for companies showing “an engaged risk culture,” Finan said. The NIST framework could help benchmark experience for companies that use it compared to companies that do not, he added.
Robert Parisi, senior vice President and national technology, network risk and telecommunications practice leader for the FINPRO unit of Marsh, emphasized the all-encompassing nature of cyber risk.
“This is a risk that hits every company. If you handle data, touch data, or rely upon a computer in any form, you’ve got that risk,” he said. Over the last several years, traditional insurance policies have tightened to the degree that cyber risks are simply not covered. Just last September, Insurance Services Offices (ISO) excluded data breach coverage from the commercial general liability policy form, a change that had been approved in nearly every state. Insurance buyers may not even realized they weren’t covered under their CGL policies, the speaker noted.
“We’ve seen the insurance market say, you want this coverage, we’re here to help you, but don’t expect to find it under your traditional program,” said Parisi. Insurers made the case that they need to estimate the risk and price it properly.
John Coletti, vice president and underwriting manager with the XL Group, told NAIC members that insurers are doing their best to take on the risk without any firm actuarial data. Cyber insurance prices tend to be based on errors and omissions rates from the late 1990s. However, insurers are taking on the risk to build the market.
“I don’t know of any other industry that would do this,” Coletti said. “We’re trying to build some solid rating algorithms.”
Parisi said that demand has been spiking over the last several months. The cyber insurance market has grown 10 percent to 15 percent each year, he added. Data breach notification laws have propelled the demand, as well as businesses falling prey to hackers.
The insurance industry has continued to innovate rapidly, as cyber risk becomes better understood. American International Group this week released a cyber policy that provides expanded coverage including for coverage for physical damage to property and physical injury to individuals. The company didn’t respond to a request for comment for this story, nor did other insurers.
Much of the insurance market for cyber insurance continues to be the domain of the excess and surplus lines market, which isn’t subject to rate and form regulation. However, regulators appear to be giving insurers space to price the risk and let the market dictate both its need and its cost.