As cyber security incidents targeting financial institutions grow in number, New York’s Department of Financial Services (DFS) implemented a cyber security regulation whose first certification deadline is quickly approaching.
The regulation was the first in the US to impose cyber security standards for the financial services industry in the midst of the looming threat of hack attacks threatening the privacy of consumer data.
Under the rule, the DFS states that institutions, including insurance companies, need to have a cyber security program to protect consumers’ private data, written policies approved by a board or senior officer, a chief information security officer, as well as plans in place “to help ensure the safety and soundness of New York’s financial services industry.”
With the certification deadline on Feb. 15, insurers are already preparing to meet the industry-wide standards imposed by the state.
Jaime Kahan, a Principal at Ernst & Young LLP who is with EY’s Cybersecurity practice focusing on financial services regulation, risk, and control, said that though some insurers already have chief information security officers or cyber policies in place, the DFS had outlined clearer expectations for firms, such as a dozen different policies they would expect from an institution.
As part of the regulations, there are also components on how companies need to respond to a cyber incident or breach, and how to report that to the DFS.
“Companies that have done well have good governance structures in place,” said Kahan. “There’s usually a holistic team approach – it’s not just a technology team that’s leading this.”
The principal recommends insurers set up a governance committee that goes across the organization and incorporates legal, risk and privacy perspectives. This ensures cyber security “is not just a technology issue, it’s a business issue,” she said.
Challenges in implementing such detailed and comprehensive regulations are to be expected. Money, for one, is on the minds of many as the cost of cyber security reform can be high.
“The real effect will be an enormous ballooning to the cost of compliance, which is likely not part of the financial institution’s current budget, and in many cases, the individuals to put these plans in place also do not exist within the firm,” said Richard Fernandez, executive vice president, professional lines at AmWINS Brokerage of Georgia, who specializes in cyber liability.
Salaries, the search for qualified vendors, disaster recovery, and records management are all pricey additions to companies’ bottom lines that come with meeting the DFS regulations.
Insurers are not only on the receiving end of the regulations. Fernandez told Insurance Business America that the new rule and chronic threats from hackers present opportunities for insurers with cyber policies.
“Ironically at a time when these firms may not want to add to the cost of their cyber exposure, it would make incredible sense to buy a cyber policy with an established carrier,” he said. “They often provide consultation, workshops and legal advice as part of the cost of the annual policy.”
Cyber policies also cover regulatory fines, penalties and proceedings, which is a major driver for financial institutions to get cyber insurance, said Fernandez.
Not that they have much choice in the matter.
The Center for Responsible Enterprise and Trade reported in 2016 that an estimated 79% of companies had experienced cyber incidents in the previous year, and that these incidents were growing by close to 40% annually.
“The cost to not being in compliance will be too high and can easily run into the millions of dollars,” said Fernandez.
Related stories:
Are we about to see a new generation of ransomware attacks?
Is cyber insurance provoking more cyberattacks?
