New York Gov. Andrew Cuomo sees the health, financial and personally identifiable information maintained in insurance companies records as a "virtual treasure trove for hackers." So he's requiring the 31 largest insurers regulated by the state to provide their policies and procedures for preventing cyber-attacks.
"We're intensely focused on making sure that banks have the protections in place they need, but we always have to keep at least one eye on the lookout for the next big threat," Cuomo said in a statement announcing the inquiry. "It's vital that we stay ahead of the curve on cybersecurity because we know hackers aren't going to give us any breathing room."
Here's what the state seeks from the insurers:
- Information on any cyber-attacks the company has been subject to in the past three years;
- Cybersecurity safeguards put in place;
- Information technology management policies;
- Amount of funds and other resources dedicated to cybersecurity;
- Governance and internal control policies related to cybersecurity.
Insurers have 15 business days to respond to the inquiry, issued on May 28.
Benjamin Lawsky, state superintendent of financial services and co-chair of the recently created Governor's Cybersecurity Advisory Board, said in a statement that cybersecurity at insurance companies is often overlooked. "It's far too important to get caught in a blind spot," he said. "We need to make sure that those insurance records are protected from hack attacks that could put New Yorkers at risk."
How Will State Use Insurers' Information?
But neither Cuomo nor Lawsky in their statements explained how the state would use the information on insurers' cybersecurity measures. A Department of Financial Services spokesman queried about how the state would utilize the information could not provide an answer.
Ellen Carney, a senior analyst who covers insurance for Forrester Research, an IT research and advisory firm, said the state could use the information to better formulate policies to protect policyholders.
Insurers collect more information just to provide a quote to potential policyholders than banks maintain on their customers in their computers, Carney said. And health insurers will collect even more personal information as federal healthcare reform takes effect.
To get a quote for a business liability insurance policy, companies must disclose their vulnerabilities. Plus, insurers get more information when claims are filed. "They're collecting incredible amounts of information," Carney said.
Compared with other sectors, insurers have experienced relatively few breaches. But with the trove of information being amassed, insurers are becoming more susceptible to hackers. "They've dodged the bullet so far," Carney said.
Pledge of Cooperation
The insurance industry has promised cooperation with the state. Ellen Melchionni, president of the New York Insurance Association, suggested the insurance industry sees the inquiry as a forum to educate regulators.
"The New York Insurance Association looks forward to working collaboratively with the Department of Financial Services as New York's regulators look to learn more about how to guard against security breaches," she said. "NYIA's members and DFS share the same goal: protecting consumers."
Melchionni, who was unavailable for an interview, did not address in her statement the ramifications of providing cyber-protection information to the state, such as whether sharing cybersecurity information could open insurers to liability lawsuits if it's revealed that adequate safeguards weren't taken.
Jim Redmond, vice president of communications at Excellus BlueCross BlueShield, said the health insurer intends to comply, but noted it was too early in the process to see if the state's request for information could be overwhelming. "We just received the request, and those are the types of questions that we'll be examining as we prepare the answers," he said.
The inquiry into insurance cyber-protection comes at a time when Cuomo is beefing up the state government's role in cybersecurity. Earlier this year, the Financial Services Department sent similar inquiries seeking information on cybersecurity policies to the largest banks it regulates.
Earlier this month, Cuomo created the Cybersecurity Advisory Board to advise his administration on cybersecurity developments and to make recommendations to protect the state's critical infrastructure and information systems [see Renowned Security Leaders Join NY Board].