With so many cyber threats and regulatory changes, how do keep your insurance business intact – and successful?
The cybersecurity threat environment is increasingly hostile, with cyber-attacks costing the U.S. economy upwards of $100 billion annually. Recent cyber-attacks on companies like Equifax impacted nearly 150 million people and some recent ransomware attacks on the UK and Ukraine have spurred on regulatory activity.
However, IT budgets are not expanding fast enough to keep pace with the escalating threats. Ask any Chief Information Officer (CIO) or Chief Information Security Officer (CISO) whether they have enough budget to satisfactorily address their concerns and threats and they will most likely say “no.”
But cyber threats aren’t the only challenge insurers and financial services firms face today. Government regulations are also taking a toll. Major regulations like the recent Department of Labor (DOL) rule had a substantial impact on Life & Annuity carriers who often had to interrupt in-flight efforts to focus on DOL compliance. In fact, many of the top sellers reported losses upwards of 25 percent in 2016 as a result of the regulation.
And another rule – the NY State Department of Financial Services (DFS) Regulation – is now changing the way carriers in New York can do business. But the impact of this regulation will reach further than just New York State.
With all these threats, changes, and regulations, a CISO may be wondering, how do I approach this and keep my insurance business intact – and successful?
Steps to Achieve Cyber Security Regulatory Compliance
The regulation may seem daunting at first glance. Reading and interpreting the actual code can also be intimidating, but many of the regulation items will be familiar to companies of any substantive size. All it does is pull together several best practices into a comprehensive program that is organized and repeatable.
Still, some companies may need to start a cybersecurity program from scratch if they have been deferring projects that mitigate current cyber threats.
Here are the steps you can take to achieve compliance and deter cyber threats:
#1 – Hire a CISO
If you have a CISO in place at your company, you are already off to a good start. By having someone in this role, your company inherently understands the issues here. A good CISO will already have:
- some of these items addressed or at least on their radar
- implemented a formal tracking, notification and reporting process
- plans in place to address all of the compliance gaps
If you do not have a CISO, you most likely will require some external assistance. We have summarized the regulation in lay terms, but you should seek the advice of a professional to help guide you by providing an assessment of your current state compared to the regulatory requirements.
That is a great place to start. And reading the overview of the regulation ahead of time will help you understand not only the specific requirements but how they are related.
#2 – Build an NIST Framework
Organizations can move forward and implement the requirements in this regulation piecemeal, but a more strategic approach would be to build out a security framework, through which you satisfy the NYS-DFS requirements and numerous other state and federal cybersecurity regulations.
Use of a security framework has the added benefit of ensuring you follow best security practices to protect your organization’s information and customers. The National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) is an industry standard framework you can use for this purpose.
The most important thing to note about NYS-DFS is that it is based on the NIST CSF, which is built around these five functions:
- Identify: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
- Protect: Develop and implement the appropriate safeguards to ensure the delivery of critical infrastructure services.
- Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
- Respond: Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
- Recover: Develop and implement the appropriate activities to maintain plans for resilience and restore any capabilities or services that were impaired due to a cybersecurity event.
You can, therefore, use the CSF as a basis for meeting the new regulations. The benefit of this approach is that you can then use CSF to support other compliance regulations you may need to meet and be able to effectively report on a range of compliance requirements.
#3 – Develop a Compliance Strategy
Achieving compliance and overcoming cybersecurity challenges can be a lot for one business to take on at once. Here’s our recommended approach:
- Identify your unique culture, circumstances, and what changes are required to meet regulatory deadlines that will be impacting your business.
- Focus on where you need help and work to identify and mobilize the right assistance whether it’s a person or a team.
- Make sure to address planning, gap analysis, design and implementation of changes required by the NY DFS Cybersecurity regulation.
- Take into consideration whether this effort will require you to enable and sustain change, improve operational performance and transform and grow your business.
Once you have taken a broader look at your organization to develop a compliance strategy, start by prioritizing the largest gaps in your program by due date and complexity. You’ll need to take action on these as soon as possible.
Then determine whether you can address these internally with your staff, or if whether you need to add resources or outsource some or all of the work needed to be compliant. An organized approach that deconstructs the regulation into smaller components is the best way to “eat the regulatory elephant.”
This effort may appear to the uninformed as an overhead expense that is a distraction for your company, but in reality it improves your company by mitigating cyber-risks, as well as protecting you and your customers! It is a necessary cost for reaping the many benefits of doing business in the technology age.
In summary, the NY DFS Cybersecurity regulation is in play now and impacting carriers doing business in the state of NY. Similar regulations will undoubtedly affect carriers in other states. Getting your CISO in place is critical and planning your compliance strategy should be a priority.
Not sure how to get started? Let’s do it together. Our blend of industry perspective, business and technology services combined with a flexible, local delivery approach allows us to help you achieve compliance and strengthen your position in the market.
About NY DFS Regulation 23 NYCRR 500
Due to the increasing number of cyber events and estimates of potential risk to our financial services industry continuing to grow, this regulation was implemented to promote the protection of customer information as well as the information technology systems of regulated entities.
This regulation requires each company to assess its own specific risk profile and design a program that addresses its risks in a robust fashion. The regulation took effect on March 1, 2017 and requires that banking, insurance and financial services organizations regulated in the state of NY be fully compliant with the regulation by March 1, 2019.
Authors & Contributors: Robert Hunter, Errol Yudelman and Sean Sweeney