cybersecurity insurers and the department what you need
play

Cybersecurity, Insurers, and the Department: What You Need to Know - PowerPoint PPT Presentation

Cybersecurity, Insurers, and the Department: What You Need to Know John J. Lacek IV, Esq. Department Counsel Chair Cybersecurity Incident Response Task Force Office of Chief Counsel | www.insurance.pa.gov A Growing Threat and Growing


  1. Cybersecurity, Insurers, and the Department: What You Need to Know John J. Lacek IV, Esq. Department Counsel Chair – Cybersecurity Incident Response Task Force Office of Chief Counsel | www.insurance.pa.gov

  2. A Growing Threat and Growing Awareness • Cybersecurity threats emerged as one of the top threats to corporations in the early part of the decade • 2013 Target Breach – 100 million individuals exposed • 2014 JP Morgan Chase Breach – 83 million accounts exposed • 2015 Anthem Insurance breach • 78.8 million customers exposed • Names, birthdays, social security numbers, addresses and email accounts • $260 million in remediation costs • $115 million to settle litigation Office of Chief Counsel | www.insurance.pa.gov

  3. The Threats Proliferated • 2015 Premera Blue Cross breach • 11 million customer records compromised • 2018 – Bankers Life breach • 566,217 insureds impacted • 2018 – Independence Blue Cross breach • 17,000 members impacted • 2019 – First American Title • Over 885 million records potentially exposed • Records went as far back as 2003 • Social Security numbers, dates of birth, mailing addresses, account numbers, tax documents, and driver licenses Office of Chief Counsel | www.insurance.pa.gov

  4. A Continued Threat • Over 53,308 security incidents in 2018 • 2,216 data breaches • 598 security incidents in the financial services sector • 146 data breaches in the financial services sector • 87% of attacks in 2018 took merely minutes to compromise a system • 68% of attacks in 2018 took months or longer to discover Office of Chief Counsel | www.insurance.pa.gov

  5. More than Mere Data Breaches • Numerous types of incidents may be classified as a cybersecurity incident • Simple hacking • Phishing • Malware • Ransomware • Brute force attacks • Denial of service attacks • Privilege misuse • Physical infrastructure attacks Office of Chief Counsel | www.insurance.pa.gov

  6. The Internet of Things – A Dangerous Playground As IoT technology becomes more ubiquitous, so to do the cybersecurity implications • Cell phones • Smart watches • MiSafes child tracking smartwatches • Smart speakers • Hack via audio files • Smart televisions • Security Cameras • Party lamed for the 2016 Syn DDoS attack Office of Chief Counsel | www.insurance.pa.gov

  7. What Authority does the Department Have ? 31 Pa. Code Chapter 146c – Standard for Safeguarding Customer Information • Requires licensees to have a comprehensive written security program • Requires licensees to assess their risk • Requires licensees to train staff to implements the security program • Requires licensees to regulatory test or monitor key controls, systems and procedures • Requires licensees to use due diligence when selecting service providers and requires services providers to implement measures designed to meet the objectives of the security program Office of Chief Counsel | www.insurance.pa.gov

  8. 31 Pa. Code Chapter 146c • A violation of the Chapter is deemed to be an Unfair Insurance Practice • Revocation of license • Injunction • $5,000 civil penalty • Avoidance of liability for service providers • If the licensee has reason to know that a service provider is engaging in a patter of activity which violates this chapter, a licensee will be liable unless: • The licensee terminates the contract, if feasible, or • If not feasible, the licensee notifies the Department Office of Chief Counsel | www.insurance.pa.gov

  9. What has the Department Done? • Early 2017 – Formed a working group to study the matter • Studied case studies • Reached out to experts in the field • Drafted recommendations • Late 2017 – Formed the first iteration of the Cybersecurity Incident Response Task Force • Composed of a small group of Department experts • Developed processes and procedures for handling a cybersecurity incident • Early 2018 – Task Force goes live • January 24, 2018 – first incident handled by the Task Force Office of Chief Counsel | www.insurance.pa.gov

  10. What has the Department Done? • Mid 2018 – The Task Force conducted an internal review of its handling of its first reported incident • Critical evaluation of goals and results • Culminated in a report and recommendations • Late 2018 – New Task Force created • Comprised of a larger group of Department program areas • Provided more flexibility in the processes and procedures to be used • Greater Department-wide communication while ensuring confidentiality and restrictions on access to information Office of Chief Counsel | www.insurance.pa.gov

  11. Current Task Force The Task Force is currently comprised on numerous Department program areas • Market Conduct • Financial Examinations • Financial Analysis • Consumer Services • Legal • Press • Policy • Legislative • Information Systems • Executive Office of Chief Counsel | www.insurance.pa.gov

  12. Task Force Goals • Serve as the primary liaison between an entity experiencing a cybersecurity incident • Ensure proper remedial actions are taken to ensure consumer protections and licensee integrity • Provider licensee's with support and advice in dealing with and remediating a cybersecurity incident • Cooperate with industry to better facilitate communication regarding cybersecurity issues • Continually evaluate and refine processes to deal with licensees who have experienced a cybersecurity incident Office of Chief Counsel | www.insurance.pa.gov

  13. Task Force Expectations • Prompt report of a cybersecurity incident to the Task Force • Incidents when PII was possibly compromised • Incidents which may effect the operations of a licensee • Cooperation with the Task Force in developing an understanding of the incident • Licensees taking appropriate action to remediate potential harm • Notice of consumers • Forensic analysis of incident • Remedial security actions • Reporting to relevant authorities • Law enforcement • Other regulatory bodies Office of Chief Counsel | www.insurance.pa.gov

  14. When Should I Report? • Discretion is left to the licensee, but a few considerations should guide this decision: • Was PII exposed? • Did the incident impact operations? • Financial examinations will look for cyber incidents • The Department expects to know of an incident before the general public • The Department does not want to be taken by surprise Office of Chief Counsel | www.insurance.pa.gov

  15. What About Confidentiality? Pursuant to the Exam Law and Holding Company Act, all communications with the Task Force are held in strict confidence • Not subject to Right-to-Know • Not subject to subpoena • No waiver of privilege • Access to information is limited to Department employees with a need to know Office of Chief Counsel | www.insurance.pa.gov

  16. NAIC Insurance Data Security Model Law Office of Chief Counsel | www.insurance.pa.gov

  17. State Adoption Office of Chief Counsel | www.insurance.pa.gov

  18. What Does the Model Do? The Model contains four key components • Cybersecurity Program • Investigation of Cybersecurity Incidents • Notification requirement • Examination authority Office of Chief Counsel | www.insurance.pa.gov

  19. Cybersecurity Program • Requires licensees to conduct risk assessments • Requires licensees to create a cybersecurity program based on the risk assessment • Allows licensees flexibility in how to implement their cybersecurity program • Program should be commensurate with the size and sophistication of the licensee • No prescriptive requirements • Requires licensees to develop an incident response plan Office of Chief Counsel | www.insurance.pa.gov

  20. Investigation of Cybersecurity Incident • Requires a licensee to conduct an internal investigation of any cybersecurity incident • Mandates that licensees, to the greatest extent possible, must be able to identify certain information • Assess the nature and scope of the Cybersecurity event • Identify the PII, if any, which was involved • Date of the event • How the event was discovered • The period during which the system was compromised • How the information was exposed or compromised • The source of the Cybersecurity event Office of Chief Counsel | www.insurance.pa.gov

  21. Notification • Requires a licenses to notify the Department within 72 hours of the discovery of a cybersecurity event • Require notice to insureds pursuant to state notification laws (73 P.S. § 2302 – “without reasonable delay”) Requires licensees to notify producers of record • Notice of reinsurers to insurers and vice versa • Office of Chief Counsel | www.insurance.pa.gov

  22. Examination Authority • Provides the Department with explicit authority to examine licensee’s cybersecurity programs • Provides the Department with explicit authority to investigate cybersecurity incidents • Proscribes penalties and remedial actions Office of Chief Counsel | www.insurance.pa.gov

  23. General Data Protection Regulation (GDPR) Office of Chief Counsel | www.insurance.pa.gov

Recommend


More recommend