From Yahoo to Sony to Equifax, data breaches and cyber hacks are becoming more and more common. And they are not getting any cheaper. In fact, according to Ponemon’s Cost of Data Breach Survey, the cost of a hack is on the rise – 2017 set a record high with an average total cost of $7.35 million; and the insurance industry is not immune. In fact, more than 100 million Americans have had their information hacked in insurance sector data breaches.
The expansion of cyber risks and the growth of the cybersecurity insurance market are a tremendous opportunity for the insurance sector. Meanwhile, state and government-level regulations continue to increase. What regulatory and compliance changes should insurers be aware of in 2018?
There has been a significant push in recent years to amend and improve the cybersecurity laws currently in place. For example, in 2015, the U.S. government passed the Cybersecurity Information Sharing Act, which encourages companies to share information on cybersecurity threats and defensive measures. Since then, numerous bills have been introduced, such as the Federal Exchange Data Breach Notification Act of 2015, which requires a health insurance exchange to notify each individual whose personal information is known to have been stolen. Many more legislative proposals can be expected as cyber hacks change and intensify. Most recently, Congress introduced the Data Security and Breach Notification Act, which would “protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a breach of security.”
On the state level, 2017 saw widespread action throughout the country. In fact, 42 states introduced 240 bills related to cyber threats; and as of March 2018, all 50 states have enacted legislation requiring private or government entities to notify individuals of security breaches involving personally identifiable information.
Perhaps the most aggressive state regulation came from New York in 2018. They passed the first-ever cybersecurity regulation requiring business entities that operate in the financial services sector (including banks, insurance companies and other financial services institutions) and have $5M in revenue to submit proof of a cybersecurity plan of operation. According to the Department of Financial Services, “The NYDFS Cybersecurity Regulation works by imposing strict cybersecurity rules on covered organizations, including the installment of a detailed cybersecurity plan, the designation of a Chief Information Security Officer, the enactment of a comprehensive cybersecurity policy, and the initiation and maintenance of an ongoing reporting system for cybersecurity events.” Those who are not compliant can expect to pay a penalty.
The European Union (EU) is also getting involved in cybersecurity regulation. According to the EU, the new General Data Protection Regulation (GDPR) “was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.” The regulation applies to any organization that processes and holds the personal data of individuals residing in the EU, regardless of their headquarters. Companies that fail to comply can be fined up to four percent of annual global revenue or 20 million euro for breaching GDPR.
Insurance regulators are raising the bar on cybersecurity too with the National Association of Insurance Commissioners (NAIC) establishing a Cyber Security Task Force. The goal of the task force is to create a comprehensive regulatory framework for cybersecurity. In October, the NAIC Insurance Data Security Model Law was approved. Based on the NYDFS, this law will establish standards and encourage requirements for data security implementation, notification and investigation at the state level, which affects the entire insurance industry. The NAIC Model Law is currently being introduced to state legislatures throughout the country; in fact, Rhode Island and South Carolina have already introduced legislation based on the NAIC Model.
Cybersecurity is changing the regulatory landscape and 2018 is poised to be a pivotal year. Companies must prepare for the impending shifts and examine how their current risk and compliance processes may be updated to fit within an evolving environment.
As governments across the globe implement cybersecurity regulations, what is your organization doing to prepare?