Many insurers rely on outside vendors, including third-party administrators—better known as TPAs—to help them run their business operations. A major concern for insurers is managing the data security aspect of the TPA relationship. PC360 recently interviewed Jonathan J. Kelly, a corporate law partner in Sidley Austin’s New York Insurance group, to talk about insurers, TPAs and cyber security precautions.
PC360: As insurers pay closer attention to their cyber security policies and procedures given the recent rise in risk, what precautions should they have in place to help ensure that they’re protected via their third-party administrator (TPA) relationships?
Kelly: Insurers need to be thoughtful in designing policies and procedures (P&Ps) addressing TPA arrangements. Of course, the P&Ps should first and foremost be designed to protect the insurer’s policyholder data, which is inherently part of the TPA arrangement, particularly in the life and health context. At the same time, given the highly regulated environment and an ever-increasing emphasis by insurance regulators on cyber security issues, the P&Ps should contemplate the need to respond to regulatory inquiries and address current and future regulatory requirements. To that end, the P&Ps should address standards that must be followed by the TPAs with respect to the insurer’s data, as well as required contract provisions (including enforcement rights) to document the TPA arrangement.
The P&Ps should require that TPAs meet certain minimum standards throughout the term of the arrangement. To address the constantly improving technology, qualitative or benchmarking standards, rather than merely prescriptive quantitative standards should be considered. Nevertheless, given the constantly evolving nature of the issues, the P&Ps should be reviewed periodically (at least annually) and updated as necessary to take into account improved technology or new threats.
Terms and conditions in TPA agreements
PC360: Along these lines, questions have arisen over the terms insurers should use in their agreements with their TPAs. What exactly should be in these agreements to ensure these vendors use a company’s information accurately?
Kelly: Agreements with TPAs need to address a wide variety of issues with respect to policyholder data. In particular, the agreement must (1) provide the insurer with an understanding of the security implemented by the TPA at the time of signing; (2) ensure protection of the policyholder data throughout the term of the arrangement; and (3) allow for an orderly and safe winding down or termination of the arrangement.
Representations and warranties should be made by the TPA specifying the nature of, and warranting to the adequacy of, the cyber security measures in place. There should be corresponding ongoing performance requirements (covenants) that ensure that those measures remain in place and will be adapted and upgraded over time to conform to then-current and improving standards.
Additionally, the TPA should be required to regularly update its P&Ps for data security, and provide copies of the updated P&P to the insurer. The TPA should be obligated to provide the insurer with reports (immediately upon a breach, otherwise periodically) as to security measures and issues, and give the insurer reasonable access to the appropriate responsible personnel and, possibly, systems to review and audit the TPA’s data security measures.
Finally, the agreement should address the ultimate termination of the arrangement and the transition or handing-over of the data to the insurer or another third-party administrator. Whether the TPA will retain any legacy data beyond the termination will present additional challenges to the parties that should be considered.
PC360: You’ve noted that holding a TPA accountable for the costs of a breach can be challenging given the financial impact a breach could have relative to the fees a TPA is paid for its services. How should insurers best tackle this issue?
Kelly: The accountability of a TPA is perhaps the most challenging issue facing the insurer. A data breach at the TPA can have a far-reaching impact on the insurer, exposing the insurer to financial loss, loss of customer confidence, regulatory issues and litigation. Measuring and quantifying these risks, even if the TPA is fully responsible and financially able to meet those obligations, is a considerable challenge. Furthermore, an insurer can’t simply be made whole for certain things, such as a resulting deterioration in reputation.
In nearly every data breach there is the question of the breached company’s relative fault. The parties in a TPA arrangement must consider whether financial accountability for the breach should attach only if attributable to, and to the extent of, the TPA’s “fault.” Whether that “fault” is due to negligence, gross negligence, misconduct or the breach of some other standard is an important consideration. Such considerations are often decided by the relative bargaining positions of the parties at the time of the contract, as well as industry practice and the magnitude of the TPA’s overall compensation in the arrangement.
In any event, insurers must consider the question of accountability (and whether accountability can be fully provided by even the most credit-worthy counterparties) in its overall risk management assessments. Data breach “exposure” should be analyzed in a holistic way by the insurer, including with respect to each individual TPA arrangement. Consideration of risk mitigation measures, such as purchasing cyber breach insurance coverage, using multiple TPAs to diversify the risk, and enhancing TPA oversight, should be made on an ongoing and regular basis by the insurer.
(Photo: Shutterstock/Gustavo Frazao)
State and federal regulations
PC360: Lastly, you’ve mentioned that although the insurance regulatory regime has followed a state-by-state approach in areas outside of cyber security, the interstate nature of cyber security will require a more unified approach. What sort of unified approach have we seen to date, and have regulators yet addressed the issue of TPAs and cyber breaches? Or do you suspect they will?
Kelly: The state insurance regulatory regime is focused on consumer protection. The regulation and protection of policyholder data held by insurers and the insurers’ TPAs fits squarely within that regime. However, cyber security is a somewhat unique issue facing the state insurance departments. Most insurance departments don’t yet have the specific technical expertise and resources to fully assess and address the systems and computer issues associated with cyber security.
There has yet to be developed a set of agreed-upon standards for insurers to help ensure the protection of policyholder information, leaving insurance regulators without clear technical guidance. Additionally, cyber crimes and data breaches typically affect policyholders in many states at one time, confusing the jurisdictional question of which regulator and regulatory regime should control.
As a result, the industry faces a crossroad with respect to these cyber security issues. Should the states individually consider and study the issue in an effort to develop a standard for each particular state? Or, should the states collaborate and approach the issues in a more unified manner? In my view, for the reasons outlined previously, we’ll see a more unified approach in this area than we’ve seen in other areas. We’ve already observed reassuring signs of this in the work being done at the NAIC [National Association of Insurance Commissioners] level. That said, the ability of the states and the NAIC to act quickly and effectively in this area will be an important determining factor in reaching any unified approach.
Jonathan J. Kelly is a corporate law partner in Sidley Austin’s New York Insurance group. He represents insurance companies, financial institutions, investors and regulators in transactional matters, including mergers and acquisitions, reinsurance matters, risk transfer and restructurings.