The New York State Department of Financial Services (the “Department”) recently released a “Report on Cyber Security in the Insurance Sector” (the “Report”). The Report was released on February 8, 2015, just four days after Anthem first reported the breach of its database estimated to contain as many as 80 million customer records. While the Report does not directly address the Anthem breach (the Department addressed Anthem’s breach in a separate alert), its findings provide a detailed look at the current cyber security landscape in which the Anthem breach occurred.
The Report analyzes survey data collected from 43 insurance entities that collectively hold a staggering $3.2 trillion of combined assets. Of these 43 entities, 21 are health insurance providers, 12 are property and casualty insurance providers, and 10 are life insurance providers. The Report’s questions address six main topics: (1) the insurer’s information security framework; (2) the use and frequency of penetration testing and results; (3) the budget and costs associated with cyber security; (4) corporate governance around cyber security; (5) the frequency, nature, cost of, and response to cyber security breaches; and (6) the company’s future plans on cyber security. In an effort to obtain a broader understanding of the context of these cyber security programs within the insurers’ overall risk management strategy, the Report also analyzes the statutorily required enterprise risk management (“ERM”) reports that certain insurers filed with the Department.
To read more on the Report, head over to our sister blog, Mintz Levin’s Health Law & Policy Matters.