Dialog between Regulators and Insurers Is Imperative in Response to Requests for Information Concerning Cybersecurity


The State of New York has launched an investigation into the policies and procedures established by New York’s largest insurance companies to secure their electronic systems from unauthorized access. Through the use of so-called “308 Letters” issued by the New York Department of Financial Services (Department), these insurers must provide specific infomation, including:

  • Information regarding any cyber-attacks in the past three years
  • Cybersecurity safeguards that the insurer has in place
  • Information technology management policies
  • Amount of funds and other resources expended on cybersecurity
  • Governance and internal controls related to cybersecurity.

In responding to a 308 Letter, the requirements of New York Insurance Regulation 173 should be considered. Regulation 173, promulgated in 2002, provides that insurers must implement a comprehensive written information security program (WISP), which must be adjusted as changes in technology and other specified circumstances warrant. Insurers responding to a 308 Letter may benefit from reviewing any materials developed in 2002 in response to Regulation 173.

In preparing responses to a 308 Letter, insurers and regulators need to consider the sensitivity of the information being sought and how this information could be misused by hackers. It will be important to satisfy regulators’ concerns by responding accurately and truthfully, while remaining mindful that detailed descriptions of cybersecurity measures, policies and procedures could provide would-be hackers with a road map, enhancing their ability to obtain the sensitive data that the insurer is protecting. Resolving these issues will be facilitated by thoughtful discussion between responding insurers and regulators, aided as needed by counsel and security consultants.


Written by:

Published In:

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Wilson Elser | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.