Cyber Insecurity

Although insurance industry players – companies and producers – are not exactly modern Luddites opposed to any technology advances, it is no secret that the industry usually lags behind in keeping up with an ever-chang- ing world.  In an age where young people in the same room are more comfortable communicating via texting rather than talking to each other, the business of insur- ance clings to personal interface as a key- stone.  Some consider this a strength of the industry while others seem to always be pushing the industry to wider, more dynamic acceptance of modern technology to keep pace or risk losing its position in the world economy.  It should be no sur- prise, therefore, that the industry is being pressed to recognize and protect itself and its customers from cyber threats.  When that pressure comes from regulators – themselves technology challenged – it should raise a few eyebrows!

Of all the “hot topics” in the world of insurance regulation, the current regula- tory frenzy over cyber security is right up there with excessive financial standards and SIFI (Systematically Important Financial Institutions) designations.  Every regulatory level is in on the act, from the Federal Insurance Office (FIO), to the National Association of Insurance Commissioners (NAIC), to individual states like the New York Department of Financial Services (DFS).   The most aggressive, of course, is New York’s DFS, whose chief has repeatedly stated that cyber security is the primary regulatory topic of concern for the fore- seeable future.  To back up this concern, the DFS produced a report in February on Cyber Security in the Insurance Sector after having produced a similar report on Banking Cyber Security last spring.  The insurance sector report, based on surveys conducted even before the Anthem secu- rity breach was publicly disclosed, con- cluded that outside of their IT units most company managements had minimal knowledge of the scope and seriousness of the problems relating to securing informa- tion or how to address these problems.

These findings prompted the DFS to issue a letter to licensed insurers in March advising them that the Department “intends to schedule IT/cyber security examinations after conducting a compre- hensive risk assessment of each institu- tion.”  To aid in that assessment, the Department “requested” a report from each insurer to be submitted by the end of April addressing 16 specific areas of inquiry regarding its security platform and standards.

At the other end of the spectrum, of course, is the NAIC, which at its spring meeting adopted “Principles for Effective Cybersecurity: Insurance Regulatory Guidance” as recommended by its cyber- security taskforce.  The NAIC document includes 12 broad principles addressed not just to insurance companies, producers and other licensees but also includes prin- ciples aimed at regulators and their obli- gations (the NY letter and its 16 specific areas of inquiry are addressed only to insurers).   The NAIC cybersecurity task- force acknowledged that its principles were derived from a similar earlier effort by the securities industry.

The NAIC guidelines as approved made two changes from the initial draft to address industry criticism.  First, the lan- guage was softened to address concerns that the original draft guidelines were too inflexible or too closely skewed to a spe- cific standard.  The other change was to remove a number of guidelines relating to the sale of cyber risk insurance.   However, where the New York framework is devoid of reference to cyber insurance products, the NAIC Cybersecurity Taskforce, in addition to its guidelines, is considering a comprehensive, mandatory annual supple- ment detailing insurers’ cybersecurity pol- icy writings to help regulators understand the size, scope and activities of the market. The NAIC is also working with Federal regulators and the FIO to coordinate data collection efforts on the scope of the mar- ketplace for cyber risks.

Which brings us to the FIO and its announced plans that seem to go beyond the collection of data on cyber risk writ- ings into the world of establishing under- writing guidelines for these risks.  Huh? Regulators establishing underwriting guidelines?

In discussions among regulators, there has been much chatter about the need to coordinate the collection of cyber security data.   There also seems to be regulatory recognition that increasing access to cyber coverage can be a significant mitigating factor in cyber crimes by making business- es incorporate better risk management sys- tems.  Recognizing underwriters’ need for incident frequency and severity data on cyber risks, however, does not ensure that this data will be successfully collected or made available to underwriters anytime soon.  There are still substantial hurdles to be overcome in order to make this happen including the confidential nature of much of the data, National security concerns and the reluctance of targets to be fully open about breaches of their systems.  Nobodywants its system vulnerabilities on public display.

It seems a bit premature, therefore, for the FIO to leap from unresolved data col- lection and availability issues to the realm of insurance underwriting, not to mention the incongruity of government establishing underwriting standards for private busi- nesses.  It may be that when the FIO sug- gests establishing  underwriting guidelines for cyber risks it has in mind things like defining acceptable minimum coverages, or identifying public policy consideration – items that permeate state insurance laws in areas like homeowners, auto and health insurance coverages.  But who knows? Like financial standards being determined in large part by bank-centric regulators, the insurance industry – pushed again to the periphery of the dialogue – hopes that its limited voice on cyber security is loud enough to be heard and considered.

And who understands New York? While the NAIC and the FIO at least evi- dence some understanding of the positive relationship between expanding the cyber risk marketplace and risk mitigation, New York seems singularly focused on insurers’ own internal systems and protections.  The few references to expanding cyber risk markets are incidental to the extensive and detailed directives to the companies about their own internal controls.

I suppose I should not be surprised at yet another example of New York’s reluc- tance to actually support growth and expansion of the business of insurance in the state.  However, in view of the multiple pronouncements by New York’s chief banking and insurance regulator on the primacy of cyber security as a regulatory concern for the foreseeable future, wouldn’t it behoove the state to be more enthusiastic in expanding the market for cyber insurance products?