Faegre Drinker Biddle & Reath LLP, a Delaware limited liability partnership | This website contains attorney advertising.
March 30, 2020

Insurance Industry Cybersecurity and COVID-19: The Importance of Risk Assessments

As companies seek to adapt to the worsening effects of the COVID-19 pandemic, security experts, as well as government agencies, including the FBI, are sounding the alarm on a drastic increase in the amount of cybersecurity threats facing the public. For example, the Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about the growing risks to information technology systems, both in the private sector as well as at federal agencies, such as the Department of Health and Human Services, during this time. Not only are insurers and other businesses more vulnerable due to the recent transition to a work-from-home environment, where security controls are more difficult to enforce and oversee, but malicious actors are taking advantage of the ongoing crisis by launching phishing and spoofing campaigns purporting to be official government health websites. In light of this quickly evolving cybersecurity landscape, insurance companies, financial institutions and businesses across many industries must not neglect periodic risk assessments.

For insurers, adherence to the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law will be critical in preventing, and if necessary, minimizing the impact of, cybersecurity threats during these changing times. In addition, for New York-based insurers and other financial institutions, the New York Department of Financial Services (NYDFS) Cybersecurity Regulation, 23 NYCRR 500, provides thorough guidelines. Aptly, both regulations stress the importance of ongoing and continuous evaluation and re-evaluation of a company’s information systems and the importance of adapting to changing circumstances.

Under the NAIC’s Model Law, which incorporates many of the NYDFS Regulation’s provisions, and which has been adopted by 10 states thus far, insurers must perform risk assessments of their information security programs. As required by the model law, insurers must perform ongoing assessments, no less than annually, to assess the effectiveness of safeguards, controls, systems and procedures. MDL 668-1, § 4(C). Moreover, insurers must “stay informed regarding emerging threats or vulnerabilities,” § 4(D), and “monitor, evaluate and adjust, as appropriate, the Information Security Program consistent with any relevant changes in technology, […] internal or external threats to information, and the [insurer’s] own changing business arrangements.” § 4(G).

Similarly, under the NYDFS Regulation, covered entities such as insurers and banks must conduct a periodic risk assessment of their information systems “sufficient to inform the design of the cybersecurity program.” Particularly relevant in today’s fast-changing landscape, these risk assessments should “respond to technological developments” in the entity’s information systems or business operations related to cybersecurity and must be “updated as reasonably necessary to address [those] changes.” 23 NYCCR 500.09(a)-(b).

With these guidelines in mind, and in light of increased risks of phishing attacks and email spoofing, ongoing risk assessments will play a vital role in defending insurers and other financial institutions against malicious actors during this unprecedented time.

As the number of cases around the world grows, Faegre Drinker’s Coronavirus Resource Center is available to help you understand and assess the legal, regulatory and commercial implications of COVID-19.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

Related Industries