The New York State Department of Financial Services (the "Department") recently released a "Report on Cyber Security in the Insurance Sector" (the "Report"). The Report was released on February 8, 2015, just four days after Anthem first reported the breach of its database estimated to contain as many as 80 million customer records. While the Report does not directly address the Anthem breach (the Department addressed Anthem's breach in a separate alert), its findings provide a detailed look at the current cyber security landscape in which the Anthem breach occurred.
The Report analyzes survey data collected from 43 insurance entities that collectively hold a staggering $3.2 trillion of combined assets. Of these 43 entities, 21 are health insurance providers, 12 are property and casualty insurance providers, and 10 are life insurance providers. The Report's questions address six main topics: (1) the insurer’s information security framework; (2) the use and frequency of penetration testing and results; (3) the budget and costs associated with cyber security; (4) corporate governance around cyber security; (5) the frequency, nature, cost of, and response to cyber security breaches; and (6) the company’s future plans on cyber security. In an effort to obtain a broader understanding of the context of these cyber security programs within the insurers' overall risk management strategy, the Report also analyzes the statutorily required enterprise risk management ("ERM") reports that certain insurers filed with the Department.
The Report has a number of interesting findings, many of which trigger their own questions:
Insurer Sophistication is Nuanced. The Report concluded that the size of an insurer's assets is not the only factor that determines the sophistication of the insurer's cyber security program. The breach of Anthem, one of the largest health insurers in the country, may be viewed as leading credence to this finding. In addition to insurer's assets, the Report finds that the sophistication of a cyber security program is also determined by the firm's transactional frequency, the variety of business lines (insurance and non-insurance) written, and the sales and marketing technologies associated with those lines.
Emerging Threats Are Recognized, but Confidence Remains High. When asked which factors are the primary barriers to ensuring information security at their organizations, 81% of respondents pointed to the increasing sophistication of cyber security threats, while 72% believed that emerging technologies were the primary barrier. Notwithstanding the recognition of increasingly sophisticated and dynamic threats, over half of the insurers reported that their organization’s current information security strategy adequately addresses new and emerging risks, with only 40% reporting a need to modify their strategies to address new and emerging risks. Further, only 51% of insurers surveyed reported having a budget specifically for cyber security events, while 95% of insurers believe that they have adequate staffing levels for information security. Again, this survey was conducted prior to the Anthem breach. It would be interesting to know the comfort level of respondents following the Anthem breach, and whether or not their responses might change.
Health Insurers Uniquely Manage IT. Close to 60% of the health insurers surveyed relied entirely on in-house IT system management. In both property and life insurance sectors, a majority of the firms relied on a mix of both in-house and outsourced management. The Anthem hack will certainly raise questions about the capabilities of in-house IT management.
Intrusion Prevention Lacking. According to the Report, all of the respondents implemented "intrusion detection systems." However, health insurers were the least likely to implement such systems. The National Institute of Standards and Technology (NIST) defines "intrusion prevention system" as software that has all the capabilities of an intrusion detection system but which can also attempt to stop possible incidents. While the NIST notes that there may be technical reasons for turning off certain prevention features, the Report does not address these issues in detail.
Cloud Policies. Of the three insurance sectors surveyed, health insurers were the least likely to have policies and procedures in place to mitigate the information security risks associated with cloud computing. Unfortunately, the Report does not specify the percentage of health insurers that are implementing cloud-based information systems nor does it address the pervasiveness of cloud use in those insurers that do use the cloud.
In addition to its findings, the Department highlights three areas of potential industry change that it believes could help foster improved cyber security : (1) management of third-party service providers that handle sensitive information, with a focus on obtaining the appropriate representations and warranties from the third-party service providers; (2) the potential use of new security technologies (e.g., multi-factor authentication) to prevent breaches; and (3) the potential industry benefit that could result from a larger cyber insurance market.
The pressure on insurers to apply these and other security measures is likely to increase following the Anthem breach. Similarly, matters of data security will assume increased urgency from the Department and other regulators responsible for overseeing an industry responsible for staggering amounts of personal and financial information assets.