Cybersecurity: Integral to Overall Risk Management for Insurers and TPAs

Jennifer Osborn
Polsinelli
Contact
LinkedIn
Facebook
X
Send
Embed

Recent data breaches have brought cybersecurity to the attention of insurance companies, and serve as a reminder to third party administrators ("TPAs") that cybersecurity issues are a serious compliance and regulatory concern. In February, the New York Department of Financial Services ("DFS") became the first insurance regulator to address cybersecurity, issuing the "Report on Cyber Security in the Insurance Sector," which summarizes the results of a survey completed by 43 insurers about their cybersecurity programs, costs, and future plans. The survey questioned the following areas:

  • The insurer's information security framework;
  • The use and frequency of penetration testing and results;
  • The budget and costs associated with cybersecurity;
  • Corporate governance around cybersecurity;
  • The frequency, nature, cost of, and response to cybersecurity breaches; and
  • The company's future plans on cybersecurity.

Based on survey results, the DFS undertook initiatives to help strengthen cybersecurity at regulated insurance companies, noting that "[r]ecent cybersecurity breaches at financial institutions and other major corporations should serve as a wake up call for insurers to redouble their efforts to strengthen their cyber defenses – particularly given the level of sensitive consumer information that insurers are entrusted with handling." One initiative listed by the DFS included exploring stronger measures related to the representations and warranties insurance companies receive from third-party vendors.

Shortly thereafter, on March 26, 2015, the New York Superintendent of Financial Services issued a Letter to Insurers on Cyber Security. The Letter stated that the DFS has expanded its examination procedures to focus more attention on cybersecurity and encouraged all institutions to view cybersecurity as integral to their overall risk management. The Letter lists many new questions and topics that will be incorporated into the existing IT examination. Issues particularly relevant to TPAs include management of third-party service providers. Additionally, each institution was required to provide a report, which included the following information:

  • "Describe your institution's due diligence process regarding information security practices that is used in vetting, selecting, and monitoring third-party service providers;
  • "Describe any protections that your institution uses to safeguard sensitive data that is sent to, received from, or accessible to third-party service providers, such as encryption or multi-factor authentication; and
  • "List any and all protections against loss or damage incurred by your institution as a result of an information security failure by a third-party service provider, including any relevant insurance coverage."

Given that regulators and insurance companies are going to be more closely scrutinizing the cybersecurity practices of TPAs, it is important for TPAs to ensure that they maintain a robust cybersecurity plan.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Polsinelli | Attorney Advertising

Written by:

Polsinelli
Polsinelli
Contact
more
less

Polsinelli on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide