New York Department of Financial Services Announces New Cyber Security Measures Directed at Strengthening Insurers’ Cyber Defenses

This post was written by Emily Garrison and Andy Moss.

The New York Department of Financial Services (NYDFS) announced last week a series of measures it plans to take “to help strengthen cyber hacking defenses at insurers.” Those measures include, among other things: regular, targeted assessments of cyber security preparedness at insurance companies; putting forward enhanced regulations requiring institutions to meet heightened standards for cyber security; and considering the ways in which NYDFS can support and encourage the development of the cyber security insurance market. The NYDFS stated that it plans to initiate these measures in the coming weeks and months.

Sunday’s announcement also included the release of NYDFS’ Report on Cyber Security in the Insurance Sector , which contains the department’s findings from a cyber security survey of 43 regulated insurance companies, including health and life insurance providers. Among other things, the survey found that 95% of insurers already believe that they have adequate staffing levels for information security, but 40% reported a need to modify their strategies to address new and emerging risks. The companies identified the increasing sophistication of cyber security threats (81%) and emerging technologies (72%) as primary barriers to ensuring information security at their organizations.

The cyber security actions taken by NYDFS are not limited to the insurance industry: in December 2014, the department issued an industry guidance letter to all New York chartered or licensed banking institutions outlining the department’s new, targeted cyber security preparedness assessments. As part of those assessments, which are becoming “ongoing parts of all DFS bank examinations moving forward,” banking institutions will be examined on a number of factors including: their protocols for the detection of cyber breaches and penetration testing; corporate governance related to cyber security; their defenses against breaches, including multi-factor authentication; and the security of their third-party vendors.

Data Security and Privacy Liability (“Cyberliability”) insurance may protect financial institutions and other companies against the costs of investigating and responding to, and liabilities arising from, cyber breaches. Companies considering, placing or renewing cyberliability coverage, or interested in examining the scope of coverage or determining whether certain types of claims may be insured under a particular cyberliability policy form should contact the authors of this blog post, the Reed Smith Insurance Recovery Group’s Global Practice Group Leader, Doug Cameron, or any Reed Smith Insurance Recovery Group attorney with whom you routinely work.

Leave a Reply