New York DFS to insurers: boost your cyber defenses

The New York State Department of Financial Services (DFS) is calling on insurance companies to “strengthen” their cyber-hacking defenses.

Benjamin M. Lawsky, superintendent of financial services, in February announced a series of measures to require insurers to take stronger steps to ward off cyber hackers.

In the coming weeks and months, DFS will integrate “regular, targeted” assessments of cyber-security preparedness at insurance companies as part of the department’s examination process. 

It’ll also put forward enhanced regulations requiring institutions to meet “heightened” standards for cyber security; and examine “stronger” measures related to the representations and warranties that third-party vendors send insurance companies.

“Recent cyber-security breaches should serve as a stern wake-up call for insurers and other financial institutions to strengthen their cyber defenses. Those companies are entrusted with a virtual treasure trove of sensitive customer information that is an inviting target for hackers. Regulators and private-sector companies must both redouble their efforts and move aggressively to help safeguard this consumer data,” Lawsky said in the news release.

DFS conducted a survey with a focus on cyber security involving a “significant cross-section” of its regulated insurance companies. 

A total of 43 firms, with combined assets of about $3.2 trillion, completed a survey seeking information about each participant’s cyber-security program, costs, and future plans.

The department’s analysis of the insurers surveyed found that a “wide array” of factors, not just reported assets, affect the “sophistication and comprehensiveness” of the insurers’ cyber-security programs. 

The DFS “did not necessarily find” that the largest insurers had the “most robust and sophisticated” cyber defenses, even though that “may be expected,” according to its news release.

Letter to insurers

The DFS has also expanded its information-technology (IT) examination procedures to focus “more attention” on cyber security.

That’s according to a March 26 letter that Lawsky wrote to insurance executives and that the department posted on its website.

DFS will add new questions and topics to its existing IT exam, including the reporting structure for cyber security-related issues; management of cyber-security issues, such as the interaction between information security and core-business functions; and resources devoted to information security and overall risk management, according to the letter.

The letter also listed additional topics.

DFS said it would schedule IT/cyber-security exams after conducting risk assessments of each institutions. To help in the assessment, DFS asked insurers for a report with several pieces of information.

They include the job description of the current chief information security officer, that person’s training, and organization chart for information-security functions.

DFS wants the report to describe how the organization maintains information-security policies that address “confidentiality, integrity, and availability,” the letter said.

The department asks insurers to identify and describe their use of “multi-factor authentication for any networks, systems, programs, or applications,” according to the letter.

Insurers should describe their incident-response program, including how incidents are “reported, escalated, and remediated.”

DFS also wants insurance companies to describe any protection they use to “safeguard” sensitive data that is “sent to, received from, or accessible to” third-party service providers, such as encryption or multi-factor authentication, according to the letter.

In total, Lawsky’s letter listed 16 pieces of information the DFS seeks in the requested report.        

The New York State Department of Financial Services (DFS) is calling on insurance companies to “strengthen” their cyber-hacking defenses.

Benjamin M. Lawsky, superintendent of financial services, in February announced a series of measures to require insurers to take stronger steps to ward off cyber hackers.

In the coming weeks and months, DFS will integrate “regular, targeted” assessments of cyber-security preparedness at insurance companies as part of the department’s examination process. 

It’ll also put forward enhanced regulations requiring institutions to meet “heightened” standards for cyber security; and examine “stronger” measures related to the representations and warranties that third-party vendors send insurance companies.

“Recent cyber-security breaches should serve as a stern wake-up call for insurers and other financial institutions to strengthen their cyber defenses. Those companies are entrusted with a virtual treasure trove of sensitive customer information that is an inviting target for hackers. Regulators and private-sector companies must both redouble their efforts and move aggressively to help safeguard this consumer data,” Lawsky said in the news release.

DFS conducted a survey with a focus on cyber security involving a “significant cross-section” of its regulated insurance companies. 

A total of 43 firms, with combined assets of about $3.2 trillion, completed a survey seeking information about each participant’s cyber-security program, costs, and future plans.

The department’s analysis of the insurers surveyed found that a “wide array” of factors, not just reported assets, affect the “sophistication and comprehensiveness” of the insurers’ cyber-security programs. 

The DFS “did not necessarily find” that the largest insurers had the “most robust and sophisticated” cyber defenses, even though that “may be expected,” according to its news release.

Letter to insurers

The DFS has also expanded its information-technology (IT) examination procedures to focus “more attention” on cyber security.

That’s according to a March 26 letter that Lawsky wrote to insurance executives and that the department posted on its website.

DFS will add new questions and topics to its existing IT exam, including the reporting structure for cyber security-related issues; management of cyber-security issues, such as the interaction between information security and core-business functions; and resources devoted to information security and overall risk management, according to the letter.

The letter also listed additional topics.

DFS said it would schedule IT/cyber-security exams after conducting risk assessments of each institutions. To help in the assessment, DFS asked insurers for a report with several pieces of information.

They include the job description of the current chief information security officer, that person’s training, and organization chart for information-security functions.

DFS wants the report to describe how the organization maintains information-security policies that address “confidentiality, integrity, and availability,” the letter said.

The department asks insurers to identify and describe their use of “multi-factor authentication for any networks, systems, programs, or applications,” according to the letter.

Insurers should describe their incident-response program, including how incidents are “reported, escalated, and remediated.”

DFS also wants insurance companies to describe any protection they use to “safeguard” sensitive data that is “sent to, received from, or accessible to” third-party service providers, such as encryption or multi-factor authentication, according to the letter.

In total, Lawsky’s letter listed 16 pieces of information the DFS seeks in the requested report.