In September and October 2021 alone, the Federal Trade Commission, the New York State Department of Financial Services, and the Securities and Exchange Commission all signaled their plans for a cybersecurity squall.
On September 13, 2021, the Federal Trade Commission (FTC) submitted a report to Congress identifying four priority areas for its ongoing data privacy and security work. Most significant for life insurers is the agency’s plan to expand its understanding and guidance regarding the use of algorithms, which could impact life insurers’ underwriting processes. The FTC also requested that Congress “enact privacy and data security legislation, enforceable by the FTC,” for which the FTC sought expanded “civil penalty authority [and] APA rulemaking authority.” The FTC followed up the report by releasing revisions to its Safeguards Rule and a supplemental notice of proposed rulemaking to require reporting to the FTC within 30 days of security incidents reasonably likely to impact 1,000 or more consumers.
On October 22, 2021, the New York State Department of Financial Services (DFS) issued a letter clarifying that covered entities remain responsible for their cybersecurity obligations, irrespective of reliance on an affiliate’s cyber program. When a covered entity adopts some or all of an affiliate’s cybersecurity program, the entity must “make available to DFS, upon request, all ‘documentation and information’ relevant to their cybersecurity programs … includ[ing] … programs adopted from an affiliate.” For covered entities relying on affiliates not otherwise regulated by DFS, this will require contractual provisions:
- Requiring the affiliate to comply with the requirements of the cybersecurity regulation with respect to any of the affiliate’s information systems that are shared with the covered entity; and
- Providing the covered entity with access, “at a minimum,” to the affiliate’s cybersecurity policies and procedures, risk assessments, penetration testing, and vulnerability assessment results, and any third-party audits that relate to the adopted portions of the cybersecurity program of the affiliate.
On October 29, 2021, SEC Commissioner Elad Roisman gave a speech in which he encouraged entities to:
- Learn from the SEC’s cybersecurity guidance, especially cybersecurity and resiliency observations it published in January 2020; and
- Take steps to prevent and mitigate damage from cybersecurity attacks, including:
- Having an incident response plan;
- “Identifying, ahead of time, certain providers and experts that a registrant should call in the event of a cyber-incident”; and
- Performing a “tabletop” exercise.
Roisman also expressed his support for continued enforcement actions and his belief that the SEC should “consider rules that provide registrants — particularly investment advisers and public issuers — with more of an idea of what we expect of them in today’s marketplace,” especially regarding breach notification.
On top of all this, the NAIC is establishing a new Innovation, Cybersecurity, and Technology (H) Committee, including a Cybersecurity (H) Working Group. A draft of the Working Group’s charges includes:
- Monitoring cybersecurity trends with the potential to affect the insurance industry;
- Advising on the development of cybersecurity training for state insurance regulators;
- Promoting communication across state insurance departments regarding cybersecurity risks and events;
- Overseeing the development of a regulatory cybersecurity response guidance document to assist state insurance regulators investigating insurance cyber events;
- Coordinating NAIC committee cybersecurity work across working groups;
- Working with the Center for Insurance Policy and Research to analyze cybersecurity-related information;
- Supporting state implementation efforts related to adopting the Insurance Data Security Model Law (#668); and
- Engaging with federal and international supervisors and agencies on managing and evaluating cybersecurity risk.
Ready your shovels and salt, the forecast is looking icy.