NY regulator requires insurers to provide information on their cyber security policies

The New York government is asking some insurers that operate in the state what steps they take to protect their clients and themselves from cyber threats.

On Tuesday, the Department of Financial Services (DFS) sent “308 letters” to large insurance companies that it regulates, requesting information on their cyber security policies and procedures.

The “308 letter” is a request for information that the insurers are legally required to respond to, according to the government.

“The extraordinarily sensitive health, personal, and financial information that New Yorkers entrust to their insurance companies is a virtual treasure trove for hackers,” Governor Andrew Cuomo noted in a DFS statement.

“We’re intensely focused on making sure that banks have the protections in place they need, but we always have to keep at least one eye on the lookout for the next big threat,” he said. “It’s vital that we stay ahead of the curve on cyber security because we know hackers aren’t going to give us any breathing room.”

The letters include requests for:

• Information on any cyber attacks the company has been subject to in the past three years
• The cyber security safeguards the company has put in place
• The company’s information technology management policies
• The amount of funds and other resources dedicated to cyber security at their company
• The company’s governance and internal control policies related to cyber security
• The government sent similar requests to various banks in the state earlier this year.

“Cyber security at insurance companies is something that often gets overlooked, but it’s far too important to get caught in a blind spot,” noted Benjamin Lawsky, the state’s superintendent of financial services. “We need to make sure that those insurance records are protected from hack attacks that could put New Yorkers at risk.”

Lawsky also co-chairs the newly-formed Cyber Security Board, tasked with advising Cuomo’s administration on developments in cyber security and also making recommendations for protecting the state’s critical infrastructure and information systems.

Insurance companies that have had inquiries on their cyber security practices sent to them include:

• Aetna
• AIG
• Allstate
• AXA Equitable
• Berkshire Hathaway
• Capital District Physicians’ Health Plan
• Chubb
• EmblemHealth
• Empire
• Excellus BlueCross BlueShield
• Guardian Life
• Healthnow New York
• Humana
• The Hartford
• Integrated Healthcare Association
• Liberty Mutual
• MassMutual
• Members Health Insurance
• MetLife
• MVP Health Care
• Nationwide
• New York Life
• Northwestern Mutual Life
• The Principal Financial Group
• Progressive
• Prudential
• State Farm
• TIAA-CREF
• Tower Group
• Travelers
• United Health Group