Health insurers say poorly designed regulator responses to hackers and malware could backfire, by adding costs and red tape without doing much to improve data security.
Matt Pratt of America’s Health Insurance Plans (AHIP) and Kim Holland of the Blue Cross Blue Shield Association make that case in comments on a set of draft principles for effective cybersecurity regulatory guidance.
Members of the Cybersecurity Task Force, an arm of the National Association of Insurance Commission (NAIC), talked about the draft, and interest groups’ comments on the draft, Sunday in Phoenix, at the NAIC’s spring meeting.
The task force unveiled the draft March 12. Originally, public comments were due March 23. The task force ended up extending the comment period to April 10, to give members of the public more time to weigh in.
J. Kevin McKechnie wrote, on behalf of the American Bankers Association (ABA), that the ABA and its insurance arm, the American Bankers Insurance Association, like the draft principles but believe the NAIC should put more emphasis on software vendor disclosure and software patchability.
McKechnie asked the NAIC to back H.R. 5793, a bill would create standard measures of software systems’ “cyber hygiene.”
Representatives from the Center for Economic Justice, the Consumer Federation of America, United Policyholders and the National Consumer Law Center wrote a joint comment emphasizing that insurance regulators should apply strong data security standards to insurance producers as well as to insurance issuers.
Pratt and Holland welcomed the NAIC’s work on cybersecurity, but they asked regulators to adjust what the draft principles say about insurance regulators’ role in that area.
When the human immune system has problems dealing with an actual, or imagined, problem, it can cause reactions ranging from runny noses to shock.
For a look at Pratt and Holland’s ideas about how poorly focused regulatory principles could add to the burden inflicted by the data breach threat, read on.
5. Regulators could impose overly specific requirements.
The 14th principle in the current draft calls for insurers and insurance producers to join the Financial Services Information Sharing and Analysis Center (FSISAC), to “share information and stay informed about cyber and physical threat intelligence analysis and sharing.”
Pratt and Holland say they strongly disagree with the idea that the NAIC should require insurers to join any specific group.
FSISAC, for example, has been more helpful for banks than for insurers, and many health insurers already belong to the National Health Care Information Sharing and Analysis Center (NH-ISAC), the commenters say.
See also: Benner on tech: Anthem