Dialog between Regulators and Insurers Is Imperative in Response to Requests for Information Concerning Cybersecurity

more+
less-

The State of New York has launched an investigation into the policies and procedures established by New York’s largest insurance companies to secure their electronic systems from unauthorized access. Through the use of so-called “308 Letters” issued by the New York Department of Financial Services (Department), these insurers must provide specific infomation, including:

  • Information regarding any cyber-attacks in the past three years
  • Cybersecurity safeguards that the insurer has in place
  • Information technology management policies
  • Amount of funds and other resources expended on cybersecurity
  • Governance and internal controls related to cybersecurity.

In responding to a 308 Letter, the requirements of New York Insurance Regulation 173 should be considered. Regulation 173, promulgated in 2002, provides that insurers must implement a comprehensive written information security program (WISP), which must be adjusted as changes in technology and other specified circumstances warrant. Insurers responding to a 308 Letter may benefit from reviewing any materials developed in 2002 in response to Regulation 173.

In preparing responses to a 308 Letter, insurers and regulators need to consider the sensitivity of the information being sought and how this information could be misused by hackers. It will be important to satisfy regulators’ concerns by responding accurately and truthfully, while remaining mindful that detailed descriptions of cybersecurity measures, policies and procedures could provide would-be hackers with a road map, enhancing their ability to obtain the sensitive data that the insurer is protecting. Resolving these issues will be facilitated by thoughtful discussion between responding insurers and regulators, aided as needed by counsel and security consultants.

 

Topics:  Cybersecurity, Department of Financial Services, Insurance Investigations

Published In: General Business Updates, Finance & Banking Updates, Insurance Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Wilson Elser | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »