State financial regulators in New York are stepping up pressure on insurance companies to ensure that they have adequate cybersecurity measures in place.
The New York Department of Financial Services (DFS) has published a report on cybersecurity in the insurance industry, and announced that it plans to introduce regular, targeted assessments of cybersecurity preparedness at insurance companies as part of its examination process. It also said that it will propose enhanced regulations requiring institutions to meet higher standards for cybersecurity.
The report details the results of a survey of a cross-section of insurers, which found that a wide array of factors, not just the size of the firm, affect the sophistication and comprehensiveness of the insurers’ cybersecurity programs. Those factors include transactional frequency, the variety of business lines (insurance and non-insurance) written, and the sales and marketing technologies associated with those lines. The report notes that while it may be expected that the largest insurers would have the most robust and sophisticated cyber defenses, the DFS did not necessarily find that to be the case.
It also found that firms may be too complacent about security. It notes that 95% of insurers believe that they have adequate staffing levels for information security, and that only 14% of CEOs receive monthly briefings on information security.
“Recent cybersecurity breaches should serve as a stern wake up call for insurers and other financial institutions to strengthen their cyber defenses. Those companies are entrusted with a virtual treasure trove of sensitive customer information that is an inviting target for hackers. Regulators and private sector companies must both redouble their efforts and move aggressively to help safeguard this consumer data,” said Benjamin Lawsky, superintendent of financial services for New York.
The DFS issued industry guidance to banks in December of last year outlining the specific issues it will be examining as part of new targeted, cybersecurity preparedness assessments. Among other factors, banks will be examined on their protocols for the detection of cyber breaches and penetration testing; corporate governance related to cybersecurity; their defenses against breaches, including multi-factor authentication; and the security of their third-party vendors, it said. New York state financial regulators are stepping up the pressure on insurance companies to ensure that they have adequate cybersecurity measures in place.
The state Department of Financial Services (DFS) published a report on cybersecurity in the insurance industry, and announced that it plans to introduce regular, targeted assessments of cybersecurity preparedness at insurance companies as part of its examination process. It also said that it will propose enhanced regulations requiring institutions to meet higher standards for cybersecurity.
The report details the results of a survey of a cross-section of insurers, which found that a wide array of factors, not just the size of the firm, affect the sophistication and comprehensiveness of the insurers’ cybersecurity programs. Those factors include transactional frequency, the variety of business lines (insurance and non-insurance) written, and the sales and marketing technologies associated with those lines. The report notes that while it may be expected that the largest insurers would have the most robust and sophisticated cyber defenses, the DFS did not necessarily find that to be the case.
It also found that firms may be too complacent about security. It notes that 95% of insurers believe that they have adequate staffing levels for information security, and that only 14% of CEOs receive monthly briefings on information security.
“Recent cybersecurity breaches should serve as a stern wake up call for insurers and other financial institutions to strengthen their cyber defenses. Those companies are entrusted with a virtual treasure trove of sensitive customer information that is an inviting target for hackers. Regulators and private sector companies must both redouble their efforts and move aggressively to help safeguard this consumer data,” said Benjamin Lawsky, superintendent of financial services for New York.
The DFS issued industry guidance to banks in December of last year outlining the specific issues it will be examining as part of new targeted, cybersecurity preparedness assessments. Among other factors, banks will be examined on their protocols for the detection of cyber breaches and penetration testing; corporate governance related to cybersecurity; their defenses against breaches, including multi-factor authentication; and the security of their third-party vendors, it said.