On March 26, 2015, the Superintendent of the New York Department of Financial Services (NYDFS) issued a letter detailing requirements for insurers to provide information related to their cybersecurity programs and practices. Due April 27, 2015, the short response time created a sense of urgency among insurers.
In recent years, cyber security in the insurance industry has been a point of heightened concern for regulators. This latest initiative is a direct response to the many destructive breaches that have occurred in the United States financial system. The reports, which were submitted via the NYDFS portal contained responses to the following questions:
- Provide the curriculum vitae and job description of the current Chief lnformation Security Officer or the individual otherwise responsible for information security, describe that individual’s information security training and experience, and identify all reporting lines for that individual, including all committees and managers. In addition, provide an organization chart for your institution’s IT and information security functions;
- Describe the extent to which your institution maintains information security policies and procedures designed to address the information security goals of confidentiality, integrity, and availability. Provide copies of all such information security policies;
- Describe how data classification is integrated into information risk management policies and procedures;
- Describe your institution’s vulnerability management program as applicable to servers, networks, endpoints, mobile devices, network devices, systems, and applications;
- Describe your institution’s patch management program, including how updates, patches, and fixes are obtained and disseminated, whether processes are manual or automated, and how often they occur;
- Describe identity and access management systems employed by your institution for both internal and external users, including all administrative, logical, and physical controls and whether such controls are preventive, detective, or corrective in nature;
- Identify and describe the current use of multi-factor authentication for any networks, systems, programs, or applications;
- Describe all application development standards used by your institution, including the use of a secure software development life cycle, and the extent to which security and privacy requirements are assessed and incorporated into the initial phases of the application development process;
- Provide a copy of, to the extent it exists in writing, or otherwise describe, your institution’s incident response program, including how incidents are reported, escalated, and remediated;
- Describe the extent to which information security is incorporated into your institution’s business continuity and disaster recovery plan, the way in which that plan is tested, how often the plan is tested, and the results of the most recent test;
- Describe any significant changes to your institution’s IT portfolio over the last 24 months resulting from mergers, consolidations, acquisitions, or the addition of new business;
- Describe your institution’s due diligence process regarding information security practices that is used in vetting, selecting, and monitoring third-party service providers;
- Provide a copy of any policies and procedures governing relationships with third-party service providers that address information security risks, including setting minimum information security practices or requiring representations and warranties concerning information security;
- Describe any steps your institution has taken to adhere to the Framework for Improving Critical Infrastructure Cybersecurity issued by the National Institute of Standards and Technology (“NIST”) on February 12, 2014 concerning third-party stakeholders;
- Describe any protections that your institution uses to safeguard sensitive data that is sent to, received from, or accessible to third-party service providers, such as encryption or multi-factor authentication; and
- List any and all protections against loss or damage incurred by your institution as a result of an information security failure by a third-party service provider, including any relevant insurance coverage.
Contacted insurance companies authorized to sell policies in New York State were required to submit a report responding to all NYDFS requirements in a timely manner. If your company was not contacted, we recommend gathering this information as a best practice.