Cybersecurity Is Not a Product, It's a Process: Financial Service Regulators Hold Insurance Company Boards Responsible for Cybersecurity

• Publication year: 2017

Cybersecurity Is Not a Product, It's a Process: Financial Service Regulators Hold Insurance Company Boards Responsible for Cybersecurity

Alice T. Kane

Phillip A. Goldstein

CYBERSECURITY IS NOT A PRODUCT, IT'S A PROCESS: FINANCIAL SERVICE REGULATORS HOLD INSURANCE COMPANY BOARDS RESPONSIBLE FOR CYBERSECURITY

Alice T. Kane Phillip A. Goldstein^*

Introduction

Over the last few years, the insurance industry has been recognized as a significant target of cybersecurity threats.¹ In 2015, the data breach at Anthem, Inc., resulted in the information of millions of individuals being compromised.² on the same day, hackers are estimated to have stolen up to 11 million customer records at Premera Blue Cross.³ Hackers have realized that data held by insurance companies can, in fact, be more valuable over time than credit card information.⁴ For example, insurance companies store data on where the insureds live, spouses' names and serious medical conditions.⁵ In the age of technological turbo-change, cybersecurity risk will not be going away

[Page 354]

anytime soon - it will only become more complicated and potentially more dangerous.⁶

This ever-present danger of cybersecurity risks is generating state and federal regulators to propose corporate governance cybersecurity requirements for insurance company Boards of Directors (the "Board" or "Boards") and management. Financial service regulators are taking action to safeguard the insurance industry from cybersecurity threats by requiring programs and policies to be approved and monitored by Boards and implemented by management. Our focus is on the proposed insurance regulations that approach cybersecurity risk with a regulatory stick by mandating the implementation of cybersecurity policies and programs with rigorous Board oversight, and, in one instance, Board certification of compliance. If management and directors of financial institutions that experience future cyber incidents are subsequently found to be noncompliant with such a regulation, then Boards will be further exposed to litigation. Such litigation would likely be covered under D&O policies and, therefore, most likely would result in increased D&O premiums.⁷

In late 2016, there was a frenzy of regulatory activity on the federal and state level. the New York Department of Financial Services ("NYDFS"), a consortium of federal regulators and the National Association of Insurance Commissioners ("NAIC")—which tends to influence the legislative and regulatory insurance laws of many states—each considered regulations to curb cybersecurity risks.⁸ All three have corporate governance requirements. The first ever cybersecurity regulation was released by the NYDFS on September 13, 2016.⁹ Following a barrage of industry comments, Superintendent Maria Vullo issued an updated cybersecurity regulation.¹⁰ ,¹¹ Nationally, insurance

[Page 355]

regulators at the NAIC have been busy working toward developing an Insurance Data Security Model Law (the "Model Act") to establish insurance industry standards for data security.¹² In response to industry comments, the Model Act is now on its third draft and is expected to be finalized later this year.¹³ Finally, at the federal level, a joint advance notice of proposed rulemaking ("ANPR") for enhanced cyber risk management standards for large and interconnected and federally regulated financial institutions was jointly released, in October, by the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (the "Federal Regulators").¹⁴

Surveys completed by Spencer Stuart/Corporate Board Member and PWC's Governance Insights Center show that public company Boards view cybersecurity risk as a serious problem that needs more attention.¹⁵ With that said, the aforementioned regulatory proposals mandate corporate governance requirements for insurance company Boards. Boards of insurance companies now not only have a fiduciary responsibility and duty of care to the company, policyholders and shareholders, but also have to comply with regulatory mandates.

Part 1 of this Article will address the corporate governance mandates of the updated, proposed cybersecurity regulation issued by the NYDFS and how the mandates have changed from the initial, proposed regulation. Part 2 will focus on the NAIC Model Act's corporate governance requirements. Lastly, Part 3 will discuss how corporate governance is approached by the ANPR issued by the Federal Regulators.

I. NYDFS Regulation

After surveying nearly 200 of its regulated insurance companies and banks for industry insight, the NYDFS proposed the first-ever cybersecurity

[Page 356]

regulation to protect against the growing threat of cyber-attacks.¹⁶ Following a 45-day comment period,¹⁷ where over 150 comments were submitted,¹⁸ NYDFS issued an updated draft on December 28, 2016.¹⁹ NYDFS made it clear that the revised regulation was a result of careful consideration of the submitted comments.²⁰

A. Initial Regulation

Both the initial and the most recent drafts of the cybersecurity regulation create corporate governance obligations for insurance company Boards. Insurance companies are required to establish a cybersecurity program and policies to ensure the confidentiality, integrity and availability of their information systems and nonpublic information.²¹ A Chief Information Security Officer ("CISO") must also be designated to be responsible for implementing, overseeing and enforcing the program and policies.²² The cybersecurity policy must address specific areas, such as system and information security, customer data privacy, and vendor and third-party service provider management.²³ Initially, the draft regulation required at least an annual Board review of the cybersecurity policy and biannual CISO reports to the Board.²⁴ A certification of compliance from the Board or senior officer to NYDFS is required to affirm that the insurance company is in compliance with the cybersecurity regulation.²⁵

[Page 357]

B. Revised Regulation

On December 28, 2016, NYDFS released an extensively revised cybersecurity regulation.²⁶ Most notably, the annual review requirement by the Board of the cybersecurity policy has been eliminated.²⁷ Under the revised regulation, either a senior officer or the Board are required to approve the written cybersecurity program and polices.²⁸ This option of either senior officers or the Board permits the Board to rely solely on management for the cybersecurity program's approval.

Initially, the regulation required a biannual report by the CISO to the Board assessing the information systems, exceptions to the cybersecurity policies and procedures, identifying the cyber risks and assessing the effectiveness of the cybersecurity program, along with proposing steps to remedy any inadequacies and a summary of all cybersecurity events.²⁹ The revised regulation requires an annual report by the CISO on material cyber risks, overall effectiveness of the program and eliminates any remediation steps for program inadequacies.³⁰ A summary of cybersecurity events and external reporting of cyber breaches is raised from all events to material events.³¹

II. NAIC MODEL ACT

In the U.S., insurance regulation is largely a state based system where each state has its own insurance law and regulator.³² The NAIC is the regulatory support and standard-setting organization operated by the insurance regulators from all 50 states and the U.S. territories.³³ Through the NAIC, state insurance regulators establish standards and best practices, conduct peer review, and

[Page 358]

coordinate their regulatory oversight.³⁴ In late 2014, the NAIC Executive (EX) Committee appointed the Cybersecurity (EX) Task Force to function as the hub for cybersecurity regulatory activity.³⁵

In 2015, the NAIC adopted the 12 Principles for Effective Cybersecurity Insurance Regulatory Guidance³⁶ and, in March 2016, began working on drafting the Model Act to establish cybersecurity standards for insurance companies which cover data security and investigation and notification of breaches.³⁷ More recently, the proposed Model Act was discussed at both the 2016 NAIC summer and fall meetings.³⁸ The initial drafts of the Model Act have been revised after receiving extensive comments from trade associations, market participants and regulators.³⁹ An ad hoc drafting group was formed to move the Model Act toward finalization. The ad hoc group is currently chaired by Elizabeth Kelleher Dwyer, the Rhode Island Insurance Superintendent.⁴⁰ Work on a third draft of the Model Law is continuing into 2017 with biweekly regulator, conference calls.⁴¹

The Model Act requires much more of insurance company Boards. It establishes clear Board responsibility for cybersecurity by requiring Board approval and oversight of the required comprehensive written information security program including implementation and ongoing management

[Page 359]

reports.⁴² The written program must contain details of the administrative, technical and physical safeguards for protecting personal information.⁴³ There is also an...