On March 26, 2015, Benjamin Lawsky, Superintendent of the New York State Department of Financial Services (DFS), sent a letter to the CEOs, General Counsel, and Chief Information Officers of all insurers doing business in the state to inform them of a mandatory cybersecurity questionnaire and the initiation of targeted cybersecurity examinations. Approximately 160 insurers will be affected by the initiative.
In the letter, Lawsky “encourages all [financial] institutions to view cyber security as an integral aspect of their overall risk management strategy, rather than solely as a subset of information technology.” As a result, the DFS plans to augment its existing IT examination framework with a variety of new topics. These topics include corporate governance, management of cybersecurity issues, resources devoted to cybersecurity and risk management, risks posed by shared infrastructure, protections against intrusion, information security testing and monitoring, incident detection and response, training, management of third-party service providers, integration of information security into business continuity and disaster recovery policies and procedures, and cybersecurity insurance coverage.
DFS will schedule these expanded examinations after the subject insurers complete a “comprehensive risk assessment.” In order to perform these assessments, DFS requests that the recipients of the letter reply to a list of 16 questions as well as complete a “Platform Data Sheet” attached to the letter. The questions range from requesting the CV of the recipient’s CISO and inquiring about the use of various technical controls such as multi-factor authentication to asking about practices implemented with regard to third-party service providers.
Notably, the questionnaire requests “a copy of, to the extent it exists in writing . . . your institution’s incident response program, including how incidents are reported, escalated, and remediated.” It also asks the recipients to “describe any steps your institution has taken to adhere to” the NIST Cybersecurity Framework “concerning third-party stakeholders.”
Responses to the questions are due no later than April 27, 2015.
The letter follows closely on the heels of several recent, widely publicized data breaches at health insurers. However, this is not the DFS’ first foray into cybersecurity – in May 2013, the DFS sent a letter to New York’s largest insurance companies requesting that they provide certain information about their cybersecurity practices. In December 2014, Lawsky also issued a letter to all New York State-chartered or licensed banks to inform them of a new cybersecurity component to their examinations.