Treasury is working on making insurers a fortress of protected information. (AP Photo/Jacquelyn Martin)

The Obama Administration has started to reach out to the insurance industry on the topic of cybersecurity in the wake of an executive order signed by President Obama in February. 

The U.S. Department of the Treasury will host a non-classified cybersecurity briefing for the insurance sector, inviting both industry and state regulators as well as National Association of Insurance Commissioners (NAIC) staff, on Aug. 22, via a Webcast. 

The intent is to share information about cybersecurity threats and vulnerabilities so that insurers can put in place better defensive measures against an attack. This sharing of unclassified information was contemplated in the Executive Order on improving cybersecurity. So was the voluntary adoption by companies of the so-called “Baseline Framework to Reduce Cyber Risk to Critical Infrastructure,” known as “the framework.”

“I would expect that the framework is kind of a baseline,” said Alex M. Hageli, director of personal lines policy, the Property Casualty Insurers Association of America (PCI). As a government document, it will become like a measuring stick he said, even though it is voluntary.

Some companies are likely already doing what the framework suggests, and PCI hopes it is flexible and very adaptable to what is going on since the nature of cyber activity is changing every day. Cyber security is a moving target — as you adjust, you come into parallel with the framework, he said. 

Not many are immune to hacking, however.

Last October, Nationwide Mutual Insurance and its Allied Insurance affiliate were hit hard by a cyberattack when hackers stole names, social security numbers and other identity information from over one million people in its databases. Some argued that information and identification of the people whose information was compromised was slower than it should have been. The company promptly initiated an investigation of the attack, which occurred Oct. 3, 2012, and on Oct. 16, 2012, determined that the criminal perpetrator had likely stolen personal information from their systems. On Nov. 2, 2012, Nationwide received confirmation of the identities and addresses of the individuals whose personal information was likely compromised. 

 Kirk Herath, VP, associate general counsel in Nationwide’s Office of Privacy said, “Providing our customers with the highest level of security and protection of their information is a top priority at Nationwide.  We have been following the development of the Obama Administration’s Cybersecurity Framework and we are planning to participate in the webinar scheduled to be held in August. We have a very robust information security program and work closely with regulatory partners at all levels to protect sensitive information.” 

Director of National Intelligence James Clapper has warned Congress about the possibility of a catastrophic terrorist attack on U.S. critical infrastructure systems that could stem from hacking. 

Treasury has informed the trade industry and its participants that the briefing is not open to the public nor to media and cannot be recorded or rebroadcast. The briefing will “draw on the knowledge and expertise of law enforcement and intelligence officials from across the federal government” and be mediated by Federal Insurance Office (FIO) Director Michael McRaith.

The cyber threat landscape will be discussed by a representative of the Federal Bureau of Investigation (FBI) and by Brian Peretti, acting director of the Treasury Office of Critical Infrastructure Protection. Trade associations representing insurers and law firms were notified of the briefing and many companies plan on taking part, but the development of the framework and any industry adoption of it is still in its early phases.   

“I know that companies are distinctly aware that we are a repository for a great deal of information and very sensitive information,” PCI’s Hageli said. The intent is to protect that information as best as possible, he said.

Over in the life insurance sector, New York Life spokesman William Werfelman noted that the company “is committed to securing the information we keep on our policyholders. We have a robust information security program through which our internal information security team and third parties monitor and respond to potential threats. We are following the development of the Administration’s Cybersecurity Framework as part of our ongoing monitoring of regulatory developments and industry best practices.”

As for the NAIC, it sits on the  Financial and Banking Information and Infrastructure Committee (FBIIC), and are monitoring implementation of the President’s cybersecurity order. The NAIC also monitors insurance market activities on providing cyber liability insurance, see:  http://www.naic.org/cipr_topics/topic_cyber_risk.htm and  http://www.naic.org/cipr_newsletter_archive/vol5_manage_cyber_risk.pdf.
 

UPDATED with Nationwide Mutual quote, NAIC background