Are you prepared for a cyber attack?

While the primary regulating bodies for insurance companies emanate from the States, a data breach will also likely trigger a Federal response. If the insurance carrier is a multi-state or national company, each state will have an interest in the data breach. Communication should be centralized and a company's compliance efforts should be coordinated. Pre-planning should take place as the window to respond to a data breach can be as short as 30 days from the event. In addition to the Departments of Insurance or Financial Services involvement, some States' Attorney General offices will also get involved. For these reasons, preparing a response prior to a breach is a must.

NAIC brings clarity to the insurance industry

A cautionary lesson is taught by the recent case of the Anthem/Blue Cross data breach. The first Federal agency to investigate and monitor the response of Anthem/Blue Cross was the Federal Trade Commission (FTC). Other Federal agencies soon joined them and ultimately even Congress became involved in the investigation. Since the data breach included HIPPA protected information, Anthem/Blue Cross also had to respond to inquiries from the United States Department of Health and Human Services (HHS).

The burden of response quickly escalated as insurance departments from the other states, as well as multiple Attorney General offices, submitted their own regulatory inquiries. The total burden of response mushroomed to 56 different inquiries. Anthem/Blue Cross's response became so cumbersome that the National Associaton of Insurance Commissioners (NAIC) eventually joined the fray in an effort to consolidate and coordinate the multi-state investigation. To the NAIC's credit, they saw the potential disruptive effect of this response and established a working group to bring more clarity to the industry.

(Photo: Shutterstock.com)

Since the involvement of so many agencies can result in significant investigative costs and fines emanating from even a minor data breach, the NAIC assigned the Cybersecurity Task Force to provide standardization to the issue. In April, the NAIC Cybersecurity Task Force released a document called "Principles for Effective Cybersecurity: Insurance Regulatory Guidance." With such an impressive name, the hope was that they would provide clearer rules for the industry to follow. But as Captain Barbosa so famously quipped in Pirates of the Caribbean, "The code is more what you'd call 'guidelines' than actual rules." 

Related: Many businesses unprepared for cyber attacks

Nevertheless, the NAIC provided 12 primary principles for regulators and the industry to follow, which are paraphrased as follows:

1. 1. A general understanding that state regulators should collaborate with companies, federal agencies, and each other to achieve a consistent and coordinated approach to cyber security
   2. That confidential or personally sensitive information that is collected should be appropriately safeguarded
   3. In the event of a breach, notification should be provided promptly
   4. Cyber security regulatory guidance for insurers must be flexible, scalable, practical and consistent with national standards
   5. Regulatory guidance must be risk-based and must consider the resources of the insurer with a caveat that a minimum set of cybersecurity standards must be in place for the entire industry regardless of the size and scope of a company's operations
   6. State insurance regulators should provide oversight of cyber security issues in conjunction with financial and market conduct examinations
   7. It is essential for the industry to plan for incident responses in the event of a breach
   8. The industry must take steps to ensure third parties and service providers have adequate measures or controls to protect personal information
   9. Cyber security transcends the information technology department and must include all facets of an organization;
   10. Internal audit findings relating to information technology (especially those identifying material risks) should be reviewed by the board of directors or appropriate oversight committee which reports to the board
   11. It is essential carriers use information-sharing and analysis organizations to help prevent against emerging threats and vulnerabilities; and
   12. Periodic and timely training and evaluation of employees, vendors, and other third parties regarding cybersecurity issues.

While some of the guidelines are obvious, the overall perspective provided by the NAIC reflects a thoughtful approach to a growing problem. This means that companies must evaluate and plan according to their own ability, given their strengths and weaknesses, to provide meaningful security of the data they maintain. While the regulatory guidance is not designed to be overbearing, keep in mind that there will still be minimum standards which must be maintained. This also means that response plans and data security monitoring must be routinely updated.

So while the NAIC rules are not as "bright-line" as some would hope, one thing is crystal clear: Insurers must work to stay informed of the new requirements so they can keep their companies and clients in compliance in this evolving field.

How can you transform your risk management preparedness and response strategy into a competitive advantage?

Introducing ALM's cyberSecure — A two-day event designed to provide the insights and connections necessary to implement a preparedness and response strategy that changes the conversation from financial risk to competitive advantage. Learn more about how this inaugural event can help you reduce risk and add business value.

Jose Pagan is a Partner in Kelley Kronenberg's Tallahassee Office, focusing his practice on Insurance Defense and Regulatory matters. He can be reached at (850) 577-1301 or jpagan@kelleykronenberg.com.