New York’s Department of Financial Services (DFS) will take steps to help strengthen cyber hacking defenses for insurers.
DFS, which also released a report on cyber security in the insurance industry, plans to integrate regular, targeted assessments of cyber security preparedness at insurance companies as part of its examination process; put forward enhanced regulations requiring institutions to meet heightened standards for cyber security; and examine stronger measures related to the representations and warranties insurance companies receive from third-party vendors, among other measures.
“Cyber reviews will encompass audits of the security controls that these organizations have in place,” says Tom Kellermann, chief cyber security officer at Trend Micro, an IT security company based in Irving, Texas.
“The security architecture will be assessed as well as the strategy and incident response plans,” he says. “I hope the state also incorporates penetration tests-ethical hacks to test the defenses-into the reviews.”
A comprehensive review will evaluate products, personnel, policies and processes, according to Jack Plotkin, chief technology officer of Virtual Health, a New York City-based next-generation healthcare technology company. Products may include any IT systems used, and personnel may encompass individuals and organizations, both internally and externally, who have access to those systems. Policies may incorporate elements such as cyber security training, compliance reviews, and disaster recovery, and processes will include the procedures in place to proactively identify and address issues and risks, according to Plotkin.
“These reviews will force insurers to reassess their IT policies, to adjust their practices, and to upgrade their systems to ensure that they are in compliance with industry standards,” says Plotkin. “There will be a short-term financial and operational cost for insurers, but it will be more than offset by the long-term benefits to consumers and the preservation of trust in the industry.”
Insurers should use this opportunity to thoroughly review current vendors, systems, and policies, to identify risks and vulnerabilities, to develop comprehensive remediation plans, and to execute those plans so that their IT infrastructures are brought in line with industry standards, Plotkin advises.
NEXT: Insurers must become compliant with HITECH
Insurers must become compliant with the Health Information Technology for Economic and Clinical Health (HITECH) Act security guidelines, according to Kellermann. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.
“That being said, those standards are not effective in combating the targeted cyber attacks of 2015,” Kellermann warns. “The insurance industry is going to experience an unprecedented crime wave as the hacker community has come to appreciate the value of stolen health records in the black market. Realistically, these organizations must invest in deploying breach detection systems and host-based intrusion prevention systems in order to mitigate cyber intrusions.”
DFS conducted a survey of 43 entities, with combined assets of approximately $3.2 trillion, with respect to cyber security.
The department’s analysis of the insurers surveyed found that an array of factors, not just reported assets, affect the sophistication and comprehensiveness of the insurers’ cyber security programs. In other words, although it may be expected that the largest insurers would have the most robust and sophisticated cyber defenses, the department did not necessarily find that to be the case.
Moreover, DFS found that 95% of insurers already believe that they have adequate staffing levels for information security and only 14% of chief executive officers receive monthly briefings on information security.
“The cyber security review reflects the reality that, in today's world, a majority of sensitive consumer data is stored in digital format and that, consequently, insurers must exercise no less care in safeguarding electronic repositories than they do in protecting physical facilities,” Plotkin says. “This is an opportunity for insurers to focus the necessary attention and resources on a problem that often receives less focus, funding, and personnel than it requires.”