Breach, Data Security

NYDFS issues report, announces targeted security assessments for insurance companies


Insurance providers in New York dedicate seven percent or less of overall budgets for information security, and the majority – 95 percent – believe that they have adequate staffing levels for information security.

Those stats are part of a February 2015 report on cybersecurity in the insurance sector by the New York State Department of Financial Services (NYDFS), which surveyed 43 regulated insurance companies – 21 of which were health insurance providers, 12 that were property and casualty insurance providers, and 10 that were life insurance providers.

The survey was prompted by an increasing number of high-profile breaches that put personal information at risk for sometimes millions of individuals. The NYDFS is using the report to gain insight into how the insurance industry is preventing cybercrime and protecting sensitive data because it will take on initiatives in the coming weeks and months to shore up cybersecurity at regulated insurance companies.

“These include integrating regular, targeted assessments of cyber security preparedness at insurance companies as part of the Department's examination process; putting forward enhanced regulations requiring institutions to meet heightened standards for cyber security; and exploring stronger measures related to the representations and warranties insurance companies receive from third-party vendors, and other measures,” the report states.

As it turns out, the report shows that insurance companies are keeping security in mind.

Between 95 and 100 percent of insurers said they are using security technologies to prevent data breaches, including anti-virus software, tools to detect malicious code, firewalls, intrusion detection tools, and encryption for data in transit.

Additionally, 98 percent of insurers reported using an information security framework containing the NYDFS's key elements of a security program: a written information security policy, training, audits, risk management, and incident monitoring and reporting.

However, breaches are still happening.

In the last three years, 35 percent of insurers reported having experienced between one and five breaches, two percent reported having experienced between six and 10 breaches, and five percent reported experiencing more than ten breaches.

As a result of those breaches, 12 percent of insurers reported a telecommunications network disruption and five percent reported account takeovers. Of breaches occurring within the last 12 months, one institution reported a loss of between $6 million and $10 million, and 25 percent of insurers reported damages of $500,000 or less. 70 percent reported suffering no losses.

Looking forward, 40 percent of insurers reported needing to modify strategies to address emerging threats, and 14 percent reported needing to investigate further to understand emerging threats. More than half of insurers reported that their information security strategy adequately addresses emerging threats.

Only two percent of insurers reported insufficient budget as a barrier to ensuring information security – instead, 81 percent cited an increasing sophistication of cybersecurity threats as a barrier, and 72 percent named emerging technologies.

The NYDFS did not respond to a request for additional information.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.