“In the 1920s and much of the 1930s, most people expected the airplane to foster democracy, equality, and freedom, to improve public taste and spread culture, to purge the world of war and violence, and even to give rise to a new kind of human being.” — Evgeny Morozov, The Net Delusion at 278 (Public Affairs 2011).
For those of us who remember, some tiny residue of this rosy sentiment lingered in commercial air travel into the 1990s, and then the bad guys discovered airplanes, too. As the author of the quote above relates, we human beings have a strong tendency to over-romanticize new technology, leaving ourselves — for at least some period of time — exposed to its dark side. In the past year, we’ve seen the same pattern in our love affair with the Internet, with well-publicized hacks at Sony, Morgan Stanley and Anthem, and revelations regarding national “cyber-armies” changing the debate permanently. The alarms that are going off from the White House straight through to local insurance agencies will ring for some time to come. To stay ahead of the curve, insurance producers large and small will need to put together cybersecurity plans. This article identifies some good resources and a little experienced advice for the task at hand.
How we got here
Things have been getting bad for a while. When Evgeny Morozov wrote The Net Delusion in 2011, it was the heady days of the Arab Spring, when many were believing the Internet would “foster democracy, equality, and freedom” through movements like “The Twitter Revolution.” The point the book made was this: ”That’s a nice idea, but the bad guys are just as good at technology as we are, so that’s all very unlikely to happen.” Morozov advocated “cyberagnosticism.” As if to underscore the point, terrorists have since demonstrated sophisticated recruiting acumen through the Internet, including within the United States, and are also selling themselves based on their hacking abilities.
In February 2013, President Obama issued an Executive Order entitled “Improving Critical Infrastructure Cybersecurity”. In it, critical infrastructure was described as “so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” The Executive Order also empowered the National Institute of Standards and Technology (“NIST”) to develop a framework to improve critical infrastructure cybersecurity, which the NIST issued in February 2014 (the “NIST Framework”). The NIST Framework is unfortunately written in the enterprise risk management (ERM) consultspeak that is prevalent in the financial services industry today, so it is no doubt overcooked for the average producer.
In December 2014, the NIST held a workshop and issued an Update in which it discussed ways to make the NIST Framework more relevant to medium and small sized businesses. This past April, the U.S. Department of Justice (DOJ) Cybersecurity Unit issued “Best Practices For Victim Response and Reporting of Cyber Incidents” (DOJ Best Practices), which were drafted to assist “smaller, less well-resourced organizations” prepare cyber incident response plans and more generally prepare for an incident. According to the DOJ, cyber incident response plans would address at minimum:
- Who has lead responsibility for different elements of an organization’s cyber incident response, from decisions about public communications, to information technology access, to implementation of security measures, to resolving legal questions;
- How to contact critical personnel at any time, day or night;
- How to proceed if critical personnel is unreachable and who will serve as back-up;
- What mission critical data, networks, or services should be prioritized for the greatest protection;
- How to preserve data related to the intrusion in a forensically sound manner;
- What criteria will be used to ascertain whether data owners, customers, or partner companies should be notified if their data or data affecting their networks is stolen; and
- Procedures for notifying law enforcement and/or computer incident-reporting organization.
The insurance regulatory response
If there was any question whether the federal push for better cybersecurity had reached local insurance agencies, the National Association of Insurance Commissioners (“NAIC”) recently answered that question in the affirmative. The question had begun to be framed in November 2014 when the NAIC formed a Cybersecurity Task Force. In February, the Anthem breach occurred, impacting potentially 80 million customers. Also in February, the New York Department of Financial Services (“NYDFS”) issued a report on its survey of the industry, noting that most insurers’ ERM frameworks did not sufficiently escalate cybersecurity risk. The report was followed up by further information requests to the industry.
In April, after taking industry comment, including from the National Association of Professional Insurance Agents, the Cyber Task Force adopted and released Its Principles for Effective Cybersecurity Insurance Regulatory Guidance (the “NAIC Principles”). These set the stage for state insurance regulations affecting insurers, producers, and other regulated entities, such as TPAs. The first NAIC Principle encourages state insurance regulators to avoid a multiplicity of conflicting regulations and “collaborate with insurers, insurance producers and the federal government to achieve a consistent, coordinated approach.” In the same vein, Congress is working hard on new federal cybersecurity legislation that could result in a single federal data breach notification statute to replace the different state laws that have emerged over the last several years.
Nonetheless, there is little sense in producers waiting for a single federal/state fix, because the NAIC Principles also set several minimum guidelines that will emerge either through direct regulation, licensing process, or a combination. These minimum standards include:
Principle 5: Regulatory guidance must be risk-based and must consider the resources of the insurer or insurance producer, with the caveat that a minimum set of cybersecurity standards must be in place for all insurers and insurance producers that are physically connected to the Internet and/or other public data networks, regardless of size and scope of operations.
Principle 7: Planning for incident response by insurers, insurance producers, other regulated entities and state insurance regulators is an essential component to an effective cybersecurity program.
Principle 8: Insurers, insurance producers, other regulated entities and state insurance regulators should take appropriate steps to ensure that third parties and service providers have controls in place to protect personally identifiable information.
Principle 12: Periodic and timely training, paired with an assessment, for employees of insurers and insurance producers, as well as other regulated entities and other third parties, regarding cybersecurity issues is essential.
The upshot is that even small producers can expect that they will need to: (1) comply with a minimum set of cybersecurity standards; (2) develop incident response plans at least like that described in the DOJ Best Practices; (3) implement employee training programs; and (4) conduct a cybersecurity assessment. Pursuant to Principle 8, we can expect that many insurers and insureds may ultimately require evidence of these in order to do business with producers, and producers may be expected to request similar evidence from their partners. We can expect that when it comes to smaller producers, the regulatory burden will consider the resources and be flexible; nonetheless, “something” will be mandated.
Recommendations for getting started
At an insurance producer level, there is a compelling case for action without any regulatory influence — a producer is not just protecting customer PHI and PFI, a producer is protecting its reputation and business. Hackers are targeting less sophisticated companies and have gone after healthcare companies like Anthem precisely because they hold the same PHI and PFI data that a producer may hold. In addition, some producers’ systems interface with their carriers, which might provide hackers with a backchannel to hack the insurers’ systems. The potential for embarrassment and loss of business is only growing as the number of hackers and their resources grow. Moreover, as one of the leading cybersecurity firms notes, a multitude of potential direct attacks occur on a daily basis — from ransomware to malicious software to disloyal and/or sabotaging employees. These attacks can shut down a producer’s ability to operate. Nowadays, good cybersecurity is just part of good business hygiene.
If a producer has not yet started down the path, or is looking to improve on what they have in place, the question is how to do so economically and correctly. While both the DOJ and NAIC have recommended the NIST Framework for designing an incident response plan, it’s too unwieldy for a small producer that wants practical advice. So, in fashioning an incident response plan, the DOJ’s minimum guidelines are helpful, but so is the smallbiz cyberplanner produced by the Federal Communications Commission. Both the FCC and the National Cyber Security Alliance have good tip sheets to deploy as part of a training program. The Better Business Bureau also has good resources. The California Attorney General provides basic guidance for small businesses also. We can hope that state regulators will look to these more tailored materials for development of producer standards and guidelines, in some more sensible combination with a NIST Framework.
Getting counsel involved
As for the “assessment” described in NAIC Principle 12, we offer a note of caution, and not just as a plug for the legal profession. As The National Cyber Security Alliance notes:
Performing risk management responsibilities may inherently reveal sensitive information about the firm’s risk posture. Most firms are concerned with such information being discoverable in a lawsuit that results from a security breach and thus working against the firm whether the risks were caused intentionally or accidentally. For this reason, it is advisable to work through internal or external counsel so the data may be controlled under attorney-client privilege.
Simply put, a cybersecurity assessment is an exercise in liability management. Without question, the producer who suspects a hack will want the assessment done under legal privilege. Even in the absence of suspicion, having a lawyer govern the analysis is wise. Until there is an assessment, a business does not know whether it has been hacked and to whom it has been exposed.
In addition, cybersecurity vendors sometimes use standards that are too rigorous, resulting in a “failing” grade that could be used against the producer in future litigation. Counsel can properly scope the standard, as well as act on information learned; otherwise, without that first step, a given producer may wind up in the Catch 22 of a failing grade that it does not have the resources to remedy.
Any technology needs to be re-balanced to keep out the crooks and keep people from being hurt. The last 20 years have seen developments in business capability and information awareness that used to occur over centuries. Good cybersecurity is the price of the ticket to the future.