Evolving Financial Services Security Requirements: Part 1

May 15, 2015, Justin Orcutt, Regional Sales Manager

NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES INSURANCE PROVIDER PREPAREDNESS ASSESSMENTS

Through the end of the year, the New York State Department of Financial Services (NYSDFS, or DFS for short,) expects to [proceed with a number of initiatives to help strengthen cybersecurity at its regulated companies. Among these changes will be integration of regular, targeted assessments of cybersecurity preparedness—for insurance companies, banks, payment processors and more.

You may recall the DFS Report on Cybersecurity in the Insurance Sector, which was a result of examinations that were launched in 2013 and continued through 2014. In December 2014, the DFS released Insurance Industry Guidance on its site, which outlined specific issues and factors that will almost certainly come up when they’re examined as part of the new DFS cybersecurity preparedness assessments. Then in February 2015, the DFS’s findings were released. According DFS Superintendent Benjamin M. Lawsky in an open letter after the reports publication,

Recent Cybersecurity breaches should serve as a stern wake up call for insurers and other financial institutions to strengthen their cyber defenses. Those companies are entrusted with a virtual treasure trove of sensitive customer information that is an inviting target for hackers. Regulators and private sector companies must both redouble their efforts and move aggressively to help safeguard this consumer data.”—New York State Department of Financial Services Superintendent, Benjamin M. Lawsky

In light of the results, the DFS said it’s in the process of revising its cybersecurity examination process, which includes the development of extensive training programs for its own IT examiners—they’ll be better prepared to find, identify, and assess vulnerabilities in the institutions. The report stated that, “The department believes that such cooperation and dialogue is essential to developing smart and effective cybersecurity programs across NY’s financial services industry.”

DFS Report on Cybersecurity in the Insurance Sector:

The Results and Issues in the Industry

The Report on Cybersecurity in the Insurance Sector itself consisted of 43 life, health, and property/casualty Insurance providers, whose assets total over $3.2 trillion. (That’s the equivalent of the MLB team salaries combined for about 1000 years!) While most of the companies reported no breaches and no monetary loss, 42% of them experienced at least one breach and 27% experienced monetary loss (and one group lost between $6 million and $10 million in a breach).
Meanwhile, a vast majority of insurers have the very basic 5-prong security framework:

  1. a written information security (IS) policy;
  2. Security awareness and education and training for employees;
  3. IS audits;
  4. Risk management of cyber risk, including the identification of key risks and trends; and
  5. Incident monitoring and reporting.

Even with the basics in place, however, and with every company reporting that they use ample anti-virus software/tools to detect malicious code, a quarter of insurers reported having no policies in place to mitigate the IS risks associated with cloud computing (Check out Coalfire virtualization practice).

In addition, 100% of insurers engage in penetration testing, but not all of them use both internal and external sources and a majority of them engage in periodic penetration testing instead of ongoing testing—44% reported conducting them annually, 19% reported quarterly, and 30% reported monthly. The DFS included in an aside,

“[Pen testing] provides only a snapshot of an institution’s vulnerabilities…Ongoing vulnerability scanning is as – if not more –important than penetration testing to identify known weaknesses and potential exposures.” –DFS Report on Cyber Security in the Insurance Sector

That said, the lack of ongoing vulnerability scanning is a big problem according to the Department. Vulnerability scanning is one of the easiest ways to check your system, and has a high payoff.

Another issue was that Insurers are leaning towards the general side when submitting reports. For example, as of 2014, Insurance Regulation 203, 11 NYCRR Part 82 requires certain insurance entities to file an annual Enterprise Risk Management (ERM) report with the department. Only one submitted ERM provided in-depth identification and analysis of cyber security risks and discussed specific steps and ongoing projects to mitigate those risks. The rest were far too general, and DFS concluded that, “…future ERM filings will include more frequent explicit references to cyber security.”

New Cybersecurity Examination Process

An Alert from DFS Superintendent Benjamin M. Lawsky

The aforementioned Insurance Industry Guidance, released in December 2014, was in the form of an email to All NYS-Chartered or Licensed Banking Institutions, titled, “New Cyber Security Examination Process,” and it contained specifics of the upcoming assessments.

The alert states that the NYSDFS plans to promote greater cybersecurity across the entire financial services industry by expanding its information technology examination procedures to focus more attention on cyber security. In addition, the DFS would incorporate into the examination new questions and topics, which would be embodied in pre-examination “First Day Letters.”

The New Topics:

IT/cyber security examinations will now include, but not be limited to:

  • Corporate governance, including organization and reporting structure for cyber security related issues;
  • Management of cyber security issues, including the interaction between information security and core business functions, written information security policies and procedures, and the periodic reevaluation of such policies and procedures in light of changing risks;
  • Resources devoted to information security and overall risk management
  • The risks posed by shared infrastructure;
  • Protections against intrusion including multi-factor or adaptive authentication and server and database configurations;
  • Information security testing and monitoring, including penetration testing;
  • Incident detection and response processes, including monitoring;
  • Training of information security professionals as well as all other personnel (basic training is not enough. It should be based on your risk);
  • Management of third-party service providers;
  • Integration of information security into business continuity and disaster recovery policies and procedures; and
  • Cyber security insurance coverage and other third-party protections.

The DFS asks insurers to note that it has provided prompts to questions that it may ask separately, to be answered in writing by additional request.

Our Suggestions

The process to keep these programs compliant can be a struggle—and even if you do have a program, you have to make sure it’s as accurate as possible.

Taking into account the findings of the DFS’s recent report, one solid way to strengthen your risk management program is to add vendor risk management to your security process. While most companies would report to have VRM as a part of their program, they probably aren’t maximizing they audits because they don’t tie them back to the specific service they’re being offered. Know what you need to find out about your system—where are you unsure of your program? What should you examine first? How will that help you develop a VRM program?

Coalfire’s Vendor Risk Assessments, for example, keep up with the complicating vendor management programs by asking all of these questions within the scope of mandates and official requirements. We use a process that scopes, assesses, and then, with our clients, we develop a program with the following steps:

  1. First, Coalfire scopes current vendor relationships and identify access to stored, processed and transmitted information. Is it physical, or electronic? Is it encrypted, processed, or transmitted?
  2. Then, we evaluate the risk of vendor relationships based on the collected information.
  3. Coalfire then uplifts the existing vendor management program by:
    • Developing questionnaires for the vendor(s);
    • Developing annual assessment processes for your company; and
    • Identifying, and developing processes for new vendors.
  4. Next, Coalfire identifies, then develops processes for monitoring current vendors.
  5. Then we incorporate vendor reviews to determine with which requirements new vendors must comply. This is when we develop a written agreement for vendor acknowledgement of compliance. In some cases, we write an agreement that outlines a risk matrix to inform of responsibilities and compliance.

If you have any questions, feel free to contact me and I’d be happy to point you in the right direction or clarity.

Further Reading

Read the report here: http://www.dfs.ny.gov/reportpub/dfs_cyber_insurance_report_022015.pdf
Read Superintendent Lawsky’s letter here: http://www.dfs.ny.gov/banking/bil-2014-10-10_cyber_security.pdf

Justin Orcutt

Author

Justin Orcutt — Regional Sales Manager

Recent Posts

Post Topics

Archives

Tags