Insurance Industry Required to Combat Cyber Attacks
New York State Finalizes an Insurance Industry Cyber Security Regulation That’s the First of Its Kind
New York state announced a final cyber security regulation this month that set mandatory standards for banks and insurers to combat the increasing cyber threat. The new cyber regulation will take effect March 1st. It follows a series of high-profile data breaches that resulted in hundreds of millions of dollars in losses for U.S. companies including: Target, Home Depot and Anthem.
The cyber regulation lays out unprecedented requirements on steps insurance companies must take to protect their networks and customer data from would-be hackers and disclose cyber events to state regulators if and when they occur.
“These strong, first-in-the-nation protections will help ensure the [insurance] industry has the necessary safeguards in place [to protect businesses and clients] from the serious economic harm caused by these devastating cyber-crimes,” Governor Andrew Cuomo said in a statement.
New York attorney Jed Davis, a former U.S. federal cyber crimes prosecutor, called the new regulation a “game changer.”
“No other state and no other federal agency has these kinds of mandatory standards,” David said.
The regulation will affect all insurance companies that do business in New York state.
The new state standards call for insurers to scrutinize security at third-party vendors that provide them goods and services. In 2015, the New York Department of Financial Services found that a third of 40 banks polled did not require outside vendors to notify them of breaches that could compromise data.
The revised rule requires firms to perform risk assessments in order to design a program particular to them at least a year-and-a-half to comply with the requirements. The final rule took into account the burden on smaller companies, a spokeswoman for the agency said.
“It’s now driven by a realistic assessment of one’s cyber security risks,” Luke Dembosky, an attorney in Washington, D.C., and a former veteran cybercrime prosecutor said.
Anthem’s cyberattack – which hackers stole the names, birth dates, Social Security numbers, home addresses and other personal information of 78.8 million current and former members and employees – affected Anthem’s reputation with consumers. Consumers questioned whether Anthem and other healthcare organizations could manage the volumes of data they have access to.
The FBI is still investigating the attack, and so far has found no evidence that Anthem members’ data have been sold, shared or used fraudulently, an Anthem spokeswoman said. Credit card and medical information also allegedly has not been taken. Anthem provided two years of credit monitoring to those who were affected by the previous attack.
How do you feel about the new insurer cyber regulations? Do you think it will help or hurt the insurance industry? How will the new rulings affect consumer perception of insurance providers? How will this new ruling affect insurance lead generation? Share your thoughts below.