The New York Division of Financial Services (“NYDFS”) Superintendent Benjamin Lawsky, making good on warnings issued in October and December, 2014, sent a cybersecurity audit letter to one hundred and sixty insurance companies on March 26, 2015. The cybersecurity audits have begun in earnest and the insurance industry audits are no doubt just the beginning.
NYDFS indicated in the letter that it will “schedule IT/cybersecurity examinations after conducting a comprehensive risk assessment of each institution,” and requested a report on the recipients’ information safeguards. If the recipient insurance company had not heeded the warnings issued in October and December by Superintendent Lawsky to get its cybersecurity house in order with a comprehensive information security plan, work force training and breach response it may be too late now to avert penalties, though they can and most probably would be much worse if the company falls victim to a cyber attack.
The audit letter requests that the recipient provide a report that comprises 16 categories of information safeguards. These include copies of the company’s written information security plan, a breach response plan, evidence of information security practice vetting of third-party suppliers and business partners, limits of any cyber risk coverage and application of the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework regarding use of encryption.
Future posts will discuss penalties levied for failure to meet the NYDFS criteria. By this time next year, New York’s much-discussed cyber breach notification statute put forth by Attorney General Eric Schneiderman may, in the event of a breach, ensnare companies that fall short of the sort of safeguards required by the NYDFS audit in litigation and attorney general investigations. The circle is closing on companies that do not take cybersecurity seriously, do not appropriately document their efforts to do so and train the work force to consider security to be everyone’s issue.
For further information on cybersecurity audit readiness and breach response, please contact Kenneth N. Rashbaum.