New York State Department of Financial Services, Report on Cyber Security in the Insurance Sector (Feb. 2015) (full-text).
This report is based on a survey conducted by the New York State Department of Financial Services with respect to cyber security at a cross-section of regulated insurance companies during 2013 and 2014. A total of 43 entities, with combined assets of approximately $3.2 trillion, completed a survey seeking information about each participant's cyber security program, costs, and future plans. The objective of the survey was to obtain a horizontal perspective of the insurance industry's efforts to prevent cyber crime, protect consumers and clients in the event of a breach, and ensure the safety and soundness of their organizations.
The Department found that a wide array of factors — not just reported assets — affect the sophistication and comprehensiveness of the insurers' cyber security programs. Those factors include reported assets, transactional frequency, the variety of business lines (insurance and non-insurance) written, and the sales and marketing technologies associated with those lines. In other words, although it may be expected that the largest insurers would have the most robust and sophisticated cyber defenses, the Department did not necessarily find that to be the case.
The Department found that 95% of insurers already believe that they have adequate staffing levels for information security and only 14% of chief executive officers receive monthly briefings on information security. Recent cyber security breaches at financial institutions and other major corporations should serve as a wake up call for insurers to redouble their efforts to strengthen their cyber defenses — particularly given the level of sensitive consumer information that insurers are entrusted with handling.