“In the 1920s and much of the 1930s, most people expected the airplane to foster democracy, equality, and freedom, to improve public taste and spread culture, to purge the world of war and violence, and even to give rise to a new kind of human being.” — Evgeny Morozov, The Net Delusion at 278 (Public Affairs 2011).
For those of us who remember, some tiny residue of this rosy sentiment lingered in commercial air travel into the 1990s, and then the bad guys discovered airplanes, too. As the author of the quote above relates, we human beings have a strong tendency to over-romanticize new technology, leaving ourselves — for at least some period of time — exposed to its dark side. In the past year, we’ve seen the same pattern in our love affair with the Internet, with well-publicized hacks at Sony, Morgan Stanley and Anthem, and revelations regarding national “cyber-armies” changing the debate permanently. The alarms that are going off from the White House straight through to local insurance agencies will ring for some time to come. To stay ahead of the curve, insurance producers large and small will need to put together cybersecurity plans. This article identifies some good resources and a little experienced advice for the task at hand.
How we got here
Things have been getting bad for a while. When Evgeny Morozov wrote The Net Delusion in 2011, it was the heady days of the Arab Spring, when many were believing the Internet would “foster democracy, equality, and freedom” through movements like “The Twitter Revolution.” The point the book made was this: ”That’s a nice idea, but the bad guys are just as good at technology as we are, so that’s all very unlikely to happen.” Morozov advocated “cyberagnosticism.” As if to underscore the point, terrorists have since demonstrated sophisticated recruiting acumen through the Internet, including within the United States, and are also selling themselves based on their hacking abilities.
In February 2013, President Obama issued an Executive Order entitled “Improving Critical Infrastructure Cybersecurity”. In it, critical infrastructure was described as “so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” The Executive Order also empowered the National Institute of Standards and Technology (“NIST”) to develop a framework to improve critical infrastructure cybersecurity, which the NIST issued in February 2014 (the “NIST Framework”). The NIST Framework is unfortunately written in the enterprise risk management (ERM) consultspeak that is prevalent in the financial services industry today, so it is no doubt overcooked for the average producer.
In December 2014, the NIST held a workshop and issued an Update in which it discussed ways to make the NIST Framework more relevant to medium and small sized businesses. This past April, the U.S. Department of Justice (DOJ) Cybersecurity Unit issued “Best Practices For Victim Response and Reporting of Cyber Incidents” (DOJ Best Practices), which were drafted to assist “smaller, less well-resourced organizations” prepare cyber incident response plans and more generally prepare for an incident. According to the DOJ, cyber incident response plans would address at minimum:
- Who has lead responsibility for different elements of an organization’s cyber incident response, from decisions about public communications, to information technology access, to implementation of security measures, to resolving legal questions;
- How to contact critical personnel at any time, day or night;
- How to proceed if critical personnel is unreachable and who will serve as back-up;
- What mission critical data, networks, or services should be prioritized for the greatest protection;
- How to preserve data related to the intrusion in a forensically sound manner;
- What criteria will be used to ascertain whether data owners, customers, or partner companies should be notified if their data or data affecting their networks is stolen; and
- Procedures for notifying law enforcement and/or computer incident-reporting organization.
The insurance regulatory response
If there was any question whether the federal push for better cybersecurity had reached local insurance agencies, the National Association of Insurance Commissioners (“NAIC”) recently answered that question in the affirmative. The question had begun to be framed in November 2014 when the NAIC formed a Cybersecurity Task Force. In February, the Anthem breach occurred, impacting potentially 80 million customers. Also in February, the New York Department of Financial Services (“NYDFS”) issued a report on its survey of the industry, noting that most insurers’ ERM frameworks did not sufficiently escalate cybersecurity risk. The report was followed up by further information requests to the industry.
In April, after taking industry comment, including from the National Association of Professional Insurance Agents, the Cyber Task Force adopted and released Its Principles for Effective Cybersecurity Insurance Regulatory Guidance (the “NAIC Principles”). These set the stage for state insurance regulations affecting insurers, producers, and other regulated entities, such as TPAs. The first NAIC Principle encourages state insurance regulators to avoid a multiplicity of conflicting regulations and “collaborate with insurers, insurance producers and the federal government to achieve a consistent, coordinated approach.” In the same vein, Congress is working hard on new federal cybersecurity legislation that could result in a single federal data breach notification statute to replace the different state laws that have emerged over the last several years.
Nonetheless, there is little sense in producers waiting for a single federal/state fix, because the NAIC Principles also set several minimum guidelines that will emerge either through direct regulation, licensing process, or a combination. These minimum standards include:
Principle 5: Regulatory guidance must be risk-based and must consider the resources of the insurer or insurance producer, with the caveat that a minimum set of cybersecurity standards must be in place for all insurers and insurance producers that are physically connected to the Internet and/or other public data networks, regardless of size and scope of operations.
Principle 7: Planning for incident response by insurers, insurance producers, other regulated entities and state insurance regulators is an essential component to an effective cybersecurity program.
Principle 8: Insurers, insurance producers, other regulated entities and state insurance regulators should take appropriate steps to ensure that third parties and service providers have controls in place to protect personally identifiable information.