The State of New York has launched an inquiry into the steps taken by the largest insurance companies to keep their customers and companies safe from cyber threats. This is the second inquiry of this kind. Earlier this year, a similar investigation targeted the cyber security practices of New York based financial institutions.
On May 28, 2013, the New York Department of Financial Services (DFS) issued letters pursuant to Section 308 of the New York Insurance Law (“308 Letters”) to 31 of the country’s largest insurance companies, requesting information on the policies and procedures they have in place to protect health, personal and financial records in their custody against cyber attacks.
Among other things, the 308 Letters request:
- Information on any cyber attacks to which the company has been subject in the past three years;
- The cyber security safeguards that the company has put in place;
- The company’s information technology management policies;
- The amount of funds and other resources that are dedicated to cyber security;
- The company’s governance and internal control policies related to cyber security
The insurance companies will have a short period to respond to the questionnaire. For further detail see Press Release of the New York Governor’s Office.
It is not clear what the State of New York will do with the information collected from the responses to this inquiry, but it is certain that this initiative is likely to be followed with great interest by other State Insurance and Financial industry regulators. Indeed, both the insurance and financial services institutions collect, process and retain a significant amount of highly sensitive personal information about prospective, current and past customers.
Companies in the insurance or financial services sectors, as well as their respective service providers, should take the time to review their risk assessments, policies and procedures, especially with a focus on evaluating whether they adequately address known vulnerabilities, meet the current “best practices” standards, and are keeping up with the most recent technologies and forms of cyber attacks.
- Privacy v. Data Protection. What is the Difference?
- Verizon to pay $7.4 million to settle FCC privacy enforcement action
- How to address cybersecurity threats in medical devices