Written by Kate Lucente and Tara Swaminatha

On February 8, 2015, the New York Department of Financial Services released its Report on Cyber Security in the Insurance Sector, and announced that it will begin conducting targeted cybersecurity assessments of New York-regulated insurance companies. Read the full Report here.

“Recent cyber security breaches should serve as a stern wake up call for insurers and other financial institutions to strengthen their cyber defenses,” said Benjamin M. Lawsky, Superintendent of Financial Services for the Department.  Superintendent Lawsky also called for both regulators and private companies to “redouble their efforts” to safeguard consumer data.

In addition to targeted cybersecurity assessments, the Department also announced several other initiatives, aimed at New York-regulated insurance companies, that are intended to encourage better cybersecurity preparedness in the insurance industry, including:

  • enhanced regulations that require insurance companies to meet heightened standards for cybersecurity;
  • exploring possible improvements to representations and warranties insurers should require from their third-party vendors; and
  • exploring the cyber insurance market and ways to support and encourage its development.

The Department did not elaborate on the scope of any of the planned initiatives but stated that it expects to proceed with them “coming weeks and months.”

According to February’s Report, the Department surveyed the cybersecurity practices of 43 providers, including health insurance, property & casualty, and life insurance providers, with collective assets just over $3 trillion.  The insurers shared their cybersecurity programs and, where applicable, their enterprise risk management reports, which are required as of 2014 for some insurers under New York State Insurance Regulations.

The Report comes on the heels of December 2014 letter issued by Superintendent Lawsky to New York-regulated banks, containing cyber security preparedness guidance and announcing new targeted cyber security preparedness assessments for New York-regulated financial institutions. (Read the full letter here.)