cybersecurity insurers and the department what you need
play

Cybersecurity, Insurers, and the Department: What You Need to Know - PowerPoint PPT Presentation

Mar 23, 2023 •270 likes •531 views

Cybersecurity, Insurers, and the Department: What You Need to Know John J. Lacek IV, Esq. Department Counsel Chair Cybersecurity Incident Response Task Force Office of Chief Counsel | www.insurance.pa.gov A Growing Threat and Growing

  1. Cybersecurity, Insurers, and the Department: What You Need to Know John J. Lacek IV, Esq. Department Counsel Chair – Cybersecurity Incident Response Task Force Office of Chief Counsel | www.insurance.pa.gov

  2. A Growing Threat and Growing Awareness • Cybersecurity threats emerged as one of the top threats to corporations in the early part of the decade • 2013 Target Breach – 100 million individuals exposed • 2014 JP Morgan Chase Breach – 83 million accounts exposed • 2015 Anthem Insurance breach • 78.8 million customers exposed • Names, birthdays, social security numbers, addresses and email accounts • $260 million in remediation costs • $115 million to settle litigation Office of Chief Counsel | www.insurance.pa.gov

  3. The Threats Proliferated • 2015 Premera Blue Cross breach • 11 million customer records compromised • 2018 – Bankers Life breach • 566,217 insureds impacted • 2018 – Independence Blue Cross breach • 17,000 members impacted • 2019 – First American Title • Over 885 million records potentially exposed • Records went as far back as 2003 • Social Security numbers, dates of birth, mailing addresses, account numbers, tax documents, and driver licenses Office of Chief Counsel | www.insurance.pa.gov

  4. A Continued Threat • Over 53,308 security incidents in 2018 • 2,216 data breaches • 598 security incidents in the financial services sector • 146 data breaches in the financial services sector • 87% of attacks in 2018 took merely minutes to compromise a system • 68% of attacks in 2018 took months or longer to discover Office of Chief Counsel | www.insurance.pa.gov

  5. More than Mere Data Breaches • Numerous types of incidents may be classified as a cybersecurity incident • Simple hacking • Phishing • Malware • Ransomware • Brute force attacks • Denial of service attacks • Privilege misuse • Physical infrastructure attacks Office of Chief Counsel | www.insurance.pa.gov

  6. The Internet of Things – A Dangerous Playground As IoT technology becomes more ubiquitous, so to do the cybersecurity implications • Cell phones • Smart watches • MiSafes child tracking smartwatches • Smart speakers • Hack via audio files • Smart televisions • Security Cameras • Party lamed for the 2016 Syn DDoS attack Office of Chief Counsel | www.insurance.pa.gov

  7. What Authority does the Department Have ? 31 Pa. Code Chapter 146c – Standard for Safeguarding Customer Information • Requires licensees to have a comprehensive written security program • Requires licensees to assess their risk • Requires licensees to train staff to implements the security program • Requires licensees to regulatory test or monitor key controls, systems and procedures • Requires licensees to use due diligence when selecting service providers and requires services providers to implement measures designed to meet the objectives of the security program Office of Chief Counsel | www.insurance.pa.gov

  8. 31 Pa. Code Chapter 146c • A violation of the Chapter is deemed to be an Unfair Insurance Practice • Revocation of license • Injunction • $5,000 civil penalty • Avoidance of liability for service providers • If the licensee has reason to know that a service provider is engaging in a patter of activity which violates this chapter, a licensee will be liable unless: • The licensee terminates the contract, if feasible, or • If not feasible, the licensee notifies the Department Office of Chief Counsel | www.insurance.pa.gov

  9. What has the Department Done? • Early 2017 – Formed a working group to study the matter • Studied case studies • Reached out to experts in the field • Drafted recommendations • Late 2017 – Formed the first iteration of the Cybersecurity Incident Response Task Force • Composed of a small group of Department experts • Developed processes and procedures for handling a cybersecurity incident • Early 2018 – Task Force goes live • January 24, 2018 – first incident handled by the Task Force Office of Chief Counsel | www.insurance.pa.gov

  10. What has the Department Done? • Mid 2018 – The Task Force conducted an internal review of its handling of its first reported incident • Critical evaluation of goals and results • Culminated in a report and recommendations • Late 2018 – New Task Force created • Comprised of a larger group of Department program areas • Provided more flexibility in the processes and procedures to be used • Greater Department-wide communication while ensuring confidentiality and restrictions on access to information Office of Chief Counsel | www.insurance.pa.gov

  11. Current Task Force The Task Force is currently comprised on numerous Department program areas • Market Conduct • Financial Examinations • Financial Analysis • Consumer Services • Legal • Press • Policy • Legislative • Information Systems • Executive Office of Chief Counsel | www.insurance.pa.gov

  12. Task Force Goals • Serve as the primary liaison between an entity experiencing a cybersecurity incident • Ensure proper remedial actions are taken to ensure consumer protections and licensee integrity • Provider licensee's with support and advice in dealing with and remediating a cybersecurity incident • Cooperate with industry to better facilitate communication regarding cybersecurity issues • Continually evaluate and refine processes to deal with licensees who have experienced a cybersecurity incident Office of Chief Counsel | www.insurance.pa.gov

  13. Task Force Expectations • Prompt report of a cybersecurity incident to the Task Force • Incidents when PII was possibly compromised • Incidents which may effect the operations of a licensee • Cooperation with the Task Force in developing an understanding of the incident • Licensees taking appropriate action to remediate potential harm • Notice of consumers • Forensic analysis of incident • Remedial security actions • Reporting to relevant authorities • Law enforcement • Other regulatory bodies Office of Chief Counsel | www.insurance.pa.gov

  14. When Should I Report? • Discretion is left to the licensee, but a few considerations should guide this decision: • Was PII exposed? • Did the incident impact operations? • Financial examinations will look for cyber incidents • The Department expects to know of an incident before the general public • The Department does not want to be taken by surprise Office of Chief Counsel | www.insurance.pa.gov

  15. What About Confidentiality? Pursuant to the Exam Law and Holding Company Act, all communications with the Task Force are held in strict confidence • Not subject to Right-to-Know • Not subject to subpoena • No waiver of privilege • Access to information is limited to Department employees with a need to know Office of Chief Counsel | www.insurance.pa.gov

  16. NAIC Insurance Data Security Model Law Office of Chief Counsel | www.insurance.pa.gov

  17. State Adoption Office of Chief Counsel | www.insurance.pa.gov

  18. What Does the Model Do? The Model contains four key components • Cybersecurity Program • Investigation of Cybersecurity Incidents • Notification requirement • Examination authority Office of Chief Counsel | www.insurance.pa.gov

  19. Cybersecurity Program • Requires licensees to conduct risk assessments • Requires licensees to create a cybersecurity program based on the risk assessment • Allows licensees flexibility in how to implement their cybersecurity program • Program should be commensurate with the size and sophistication of the licensee • No prescriptive requirements • Requires licensees to develop an incident response plan Office of Chief Counsel | www.insurance.pa.gov

  20. Investigation of Cybersecurity Incident • Requires a licensee to conduct an internal investigation of any cybersecurity incident • Mandates that licensees, to the greatest extent possible, must be able to identify certain information • Assess the nature and scope of the Cybersecurity event • Identify the PII, if any, which was involved • Date of the event • How the event was discovered • The period during which the system was compromised • How the information was exposed or compromised • The source of the Cybersecurity event Office of Chief Counsel | www.insurance.pa.gov

  21. Notification • Requires a licenses to notify the Department within 72 hours of the discovery of a cybersecurity event • Require notice to insureds pursuant to state notification laws (73 P.S. § 2302 – “without reasonable delay”) Requires licensees to notify producers of record • Notice of reinsurers to insurers and vice versa • Office of Chief Counsel | www.insurance.pa.gov

  22. Examination Authority • Provides the Department with explicit authority to examine licensee’s cybersecurity programs • Provides the Department with explicit authority to investigate cybersecurity incidents • Proscribes penalties and remedial actions Office of Chief Counsel | www.insurance.pa.gov

  23. General Data Protection Regulation (GDPR) Office of Chief Counsel | www.insurance.pa.gov

Recommend

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity cybersecurity? William J. Perry Martin Casado Keith Coleman Dan Wendlandt MS&E 91SI Spring 2004 Stanford University U.S. National Cybersecurity

79 views • 7 slides
Insurers' Reporting Obligations Under Insurers Reporting Obligations Under Medicare Medicaid SCHIP

Insurers' Reporting Obligations Under Insurers Reporting Obligations Under Medicare Medicaid SCHIP

Presenting a live 90 minute webinar with interactive Q&A Insurers' Reporting Obligations Under Insurers Reporting Obligations Under Medicare Medicaid SCHIP Extension Act Complying with MMSEA Requirements for Non Group Health Plan Payers

638 views • 43 slides
Being Strategic about Cybersecurity Regional Cybersecurity Forum, 29-30 Nov 2016, Grand Hotel

Being Strategic about Cybersecurity Regional Cybersecurity Forum, 29-30 Nov 2016, Grand Hotel

Being Strategic about Cybersecurity Regional Cybersecurity Forum, 29-30 Nov 2016, Grand Hotel Sofia, Bulgaria Mr. Joaqun Castelln , Operational Director Spanish National Security Department Ms. Anita TIKOS , Desk Officer for International

197 views • 15 slides
Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives:

Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives:

Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives: Define Cybersecurity & why its important Provide information about Dept. Homeland Security Cybersecurity Campaigns: National

328 views • 22 slides
Cybersecurity research and education: Helping meet the high demand for cybersecurity experts

Cybersecurity research and education: Helping meet the high demand for cybersecurity experts

West Virginia University Cybersecurity research and education: Helping meet the high demand for cybersecurity experts Katerina Goseva-Popstojanova Professor Lane Department of Computer Science and Electrical Engineering (LCSEE) West

538 views • 21 slides
National Cybersecurity Workforce Framework Benjamin Scribner Department of Homeland Security

National Cybersecurity Workforce Framework Benjamin Scribner Department of Homeland Security

Federal Information Systems Security Educators March 19, 2014 National Cybersecurity Workforce Framework Benjamin Scribner Department of Homeland Security (DHS) National Cybersecurity Education & Awareness Branch (CE&A) T HE CYBER THREAT

315 views • 13 slides
Insurance Bad Faith: Pitfalls for Insurers in the Investigation of Coverage Claims Strategies for

Insurance Bad Faith: Pitfalls for Insurers in the Investigation of Coverage Claims Strategies for

Presenting a live 90-minute webinar with interactive Q&A Insurance Bad Faith: Pitfalls for Insurers in the Investigation of Coverage Claims Strategies for Insurers to Avoid or Mitigate Liability and Policyholders to Prove Bad Faith and

953 views • 72 slides
Cybersecurity A presentation to the National Association of Black Accountants Cleveland

Cybersecurity A presentation to the National Association of Black Accountants Cleveland

Cybersecurity A presentation to the National Association of Black Accountants Cleveland Chapter Contents Cybersecurity and risk management 1 Cybersecurity and the regulatory 2 environment Cybersecurity and the audit 3 4 Appendix

685 views • 37 slides
IAAHS COLLOQUIUM 2004 Session J IAS and Solvency for Health Insurers IAS and Solvency for Health

IAAHS COLLOQUIUM 2004 Session J IAS and Solvency for Health Insurers IAS and Solvency for Health

IAAHS COLLOQUIUM 2004 Session J IAS and Solvency for Health Insurers IAS and Solvency for Health Insurers 15.15 Overview: IASB Phase 1&2 / IAA and IAIS Proposals (David Paul) 15.30 Internal Models for Capital Assessment - UK Experience

147 views • 11 slides
allocations 5 April 2017, Dublin Cristina Mihai Contents 1 Who we are 2 Insurers as largest

allocations 5 April 2017, Dublin Cristina Mihai Contents 1 Who we are 2 Insurers as largest

Challenges and opportunities of policymaking for insurers asset allocations 5 April 2017, Dublin Cristina Mihai Contents 1 Who we are 2 Insurers as largest institutional investors 3 Regulation: focus on Solvency II 4 The EU

490 views • 28 slides
Overview of State Agency Cybersecurity Costs PRESENTED TO SENATE SELECT COMMITTEE ON

Overview of State Agency Cybersecurity Costs PRESENTED TO SENATE SELECT COMMITTEE ON

Overview of State Agency Cybersecurity Costs PRESENTED TO SENATE SELECT COMMITTEE ON CYBERSECURITY LEGISLATIVE BUDGET BOARD STAFF MARCH 21, 2018 Department of Information Resources The Texas Department of Information Resources (DIR) provides

591 views • 12 slides
Risk adjustments for life insurers Presentation to 2016 NZSA conference Ben Coulter, PwC Key

Risk adjustments for life insurers Presentation to 2016 NZSA conference Ben Coulter, PwC Key

Risk adjustments for life insurers Presentation to 2016 NZSA conference Ben Coulter, PwC Key changes for insurers A new name (IFRS 17 vs IFRS 4) Optional premium allocation approach (PAA) Level of aggregation Acquisition

374 views • 23 slides
KACo Cybersecurity Training KACo Cybersecurity Training Cybersecurity Threats Phishing

KACo Cybersecurity Training KACo Cybersecurity Training Cybersecurity Threats Phishing

7/17/2020 KACo Cybersecurity Training KACo Cybersecurity Training Cybersecurity Threats Phishing Attacks Malware/Ransomware Hacking Imposter Scams 1 7/17/2020 KACo Cybersecurity Training BEWARE OF Phishing Phishing attacks

248 views • 6 slides
DOD Clarifies Contractor Cybersecurity Certification Again By Amy Conant Hoang, Erica Bakies

DOD Clarifies Contractor Cybersecurity Certification Again By Amy Conant Hoang, Erica Bakies

DOD Clarifies Contractor Cybersecurity Certification Again By Amy Conant Hoang, Erica Bakies and Sarah Burgart On Dec. 12, the U.S. Department of Defense publicly released an updated draft of the Cybersecurity Maturity Model Certification, or

253 views • 4 slides
Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright

Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright

Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright CyberSecurity Scholar 4 September 2019 James Davenport Formal Methods and CyberSecurity CyberSecurity CyberSecurity failures abound: tens daily in the

212 views • 19 slides
Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright

Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright

Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright CyberSecurity Scholar 4 September 2018 James Davenport Formal Methods and CyberSecurity CyberSecurity CyberSecurity failures abound: tens daily in the

325 views • 18 slides
Health Care Reform: An Insurers Perspective Douglas Lynch, FSA, MAAA Vice President and

Health Care Reform: An Insurers Perspective Douglas Lynch, FSA, MAAA Vice President and

Health Care Reform: An Insurers Perspective Douglas Lynch, FSA, MAAA Vice President and Actuary Actuarial Department May 16, 2011 In the pursuit of health About BCBSF Pensacola Tallahassee Jacksonville Panama City Gainesville Orlando

641 views • 15 slides
ITU Mandate and Activities ITU Mandate and Activities Related to Cybersecurity Cybersecurity

ITU Mandate and Activities ITU Mandate and Activities Related to Cybersecurity Cybersecurity

ITU Mandate and Activities ITU Mandate and Activities Related to Cybersecurity Cybersecurity Related to Subregional Seminar on Cybersecurity for Information and Communication Networks 21 June 2005 Lima, Peru Christine Sund Christine Sund

921 views • 48 slides
EU in action about cybersecurity NIS Directive 5G Cybersecurity Act GDPR Contractual ISACs

EU in action about cybersecurity NIS Directive 5G Cybersecurity Act GDPR Contractual ISACs

EU Cybersecurity European policy overview e-IRG e-IRG 4 December 2019 Brussels Anni Hellman, Senior Expert, Permanent Representation of Finland to the European Union Seconded for the Finnish Presidency from the Directorate General

320 views • 28 slides
Seminar Series Oil and Gas Pipeline Transmission Infrastructure Cybersecurity and Resiliency Al

Seminar Series Oil and Gas Pipeline Transmission Infrastructure Cybersecurity and Resiliency Al

Seminar Series Oil and Gas Pipeline Transmission Infrastructure Cybersecurity and Resiliency Al Rivero, PE CREDC Summer School February 5th, 2018 Funded by the U.S. Department of Energy and the U.S. Department of Homeland Security |

469 views • 11 slides
INTRODUCTION Institute 12/10/2018 1 OBJECTIVES Current cybersecurity statistics and

INTRODUCTION Institute 12/10/2018 1 OBJECTIVES Current cybersecurity statistics and

Section 1 Dr. Bruce Burton California Cybersecurity INTRODUCTION Institute 12/10/2018 1 OBJECTIVES Current cybersecurity statistics and implications Learn from past attacks Understand the NIST Cybersecurity Framework (CSF) &

368 views • 33 slides
MAYASEVENs Hacking Diary Who are we? Nop Phoomthaisong MAYASEVEN Team Cybersecurity

MAYASEVENs Hacking Diary Who are we? Nop Phoomthaisong MAYASEVEN Team Cybersecurity

MAYASEVENs Hacking Diary Who are we? Nop Phoomthaisong MAYASEVEN Team Cybersecurity Consultants, The Cybersecurity Expert Guys Cybersecurity Researcher 2 Agenda 1. Account Takeover via Forgot Password Function 2. Amazon S3

2.36k views • 75 slides
Cybersecurity Today CYBERSECURITY IN TODAYS WORLD Cyberattacks in Wyoming Medical

Cybersecurity Today CYBERSECURITY IN TODAYS WORLD Cyberattacks in Wyoming Medical

Cybersecurity Today CYBERSECURITY IN TODAYS WORLD Cyberattacks in Wyoming Medical Facilities Local Government Schools Law Enforcement Media Outlets The threat and how to think about it Ransomware has rapidly emerged as the most

398 views • 15 slides
Insurance Ireland CRO Forum 20 September 2017 abi.org.uk @British Insurers Brexit Politics

Insurance Ireland CRO Forum 20 September 2017 abi.org.uk @British Insurers Brexit Politics

Association of British Insurers Insurance Ireland CRO Forum 20 September 2017 abi.org.uk @British Insurers Brexit Politics since June (1/2) UK Developments EU Developments The 3 rd round of Article 50 negotiations took place in

106 views • 7 slides

More recommend