The New York Department of Financial Services recently sounded the alarm on cybersecurity for insurers, warning companies that they are at risk for attacks by hackers, being in possession of sought-after health and financial information.
“Cyber attacks against financial services institutions, including insurance companies, are becoming increasingly frequent and sophisticated. Insurance firms often possess large amounts of personally identifiable information (PII) and protected health information (PHI); safeguarding such information in digital format is technologically challenging and expensive,” stated the DFS in a recent report on the topic. “The decreasing cost of technology in general, while helpful to legitimate business entities, also makes it easier and cheaper for cyber criminals to disrupt systems and obtain access to protected data. Moreover, PII and PHI are becoming more valuable on the black market, which increases incentives for cyber attacks.”
The DFS promised that in the next several months, it will include assessments of cybersecurity readiness at insurers as part of the standard examination process. The assessments will demand higher standards for cybersecurity and examine how insurers vet third-party vendors on security matters.DFS Superintendent Benjamin Lawsky noted, “Recent cyber security breaches should serve as a stern wake up call for insurers and other financial institutions to strengthen their cyber defenses. Those companies are entrusted with a virtual treasure trove of sensitive customer information that is an inviting target for hackers. Regulators and private sector companies must both redouble their efforts and move aggressively to help safeguard this consumer data.”
DFS’ report looked at 43 insurers, including health, property-casualty, and life companies, to assess their cybersecurity programs, with interesting results. Ninety-five percent of insurers felt they have adequate information security staff, but only 14 percent of insurer CEOs are briefly monthly on security procedures.
The department added, “Although it may be expected that the largest insurers would have the most robust and sophisticated cyber defenses, the Department did not necessarily find that to be the case.”