In September and October 2021 alone, the Federal Trade Commission, the New York State Department of Financial Services, and the Securities and Exchange Commission all signaled their plans for a cybersecurity storm.
On September 13, 2021, the Federal Trade Commission (FTC) submitted a report to Congress identifying four priority areas for its ongoing work on data privacy and security. Most important for life insurers is the agency’s plan to expand its understanding and guidance around the use of algorithms, which could impact life insurers’ underwriting processes. The FTC also called on Congress to “pass data privacy and security legislation enforceable by the FTC,” for which the FTC called for “expanded civil enforcement authority.” [and] APA Regulatory Authority. The FTC responded to the report by issuing revisions to its safeguard rule and a supplemental notice of proposed rulemaking to require reporting to the FTC within 30 days of security incidents reasonably likely to affect 1,000 or more consumers.
On October 22, 2021, the New York State Department of Financial Services (DFS) issued a letter clarifying that Covered Entities remain responsible for their cybersecurity obligations regardless of an Affiliate’s cyber program reliance. Where a Covered Entity adopts all or part of an Affiliate’s Cybersecurity Program, the Entity shall “Make available to DFS, upon request, all ‘Documentation and Information’ relevant to its Cybersecurity Programs…including understood[ing] … programs adopted by an affiliate. For Covered Entities that depend on Affiliates not otherwise regulated by DFS, this will require contractual provisions:
- Require Affiliate to comply with cybersecurity regulatory requirements with respect to any Affiliate information system shared with the Covered Entity; and
- Provide the Covered Entity with access, “at a minimum”, to the Affiliate’s cybersecurity policies and procedures, risk assessments, penetration testing and vulnerability assessment results, and any third-party audit related to the adopted parts of the Affiliate’s cybersecurity program.
On October 29, 2021, SEC Commissioner Elad Roisman delivered a speech in which he encouraged entities to:
- Learn from the SEC’s guidance on cybersecurity, particularly the Cybersecurity and Resilience Observations it issued in January 2020; and
- Take steps to prevent and mitigate damage from cybersecurity attacks, including:
- Have an incident response plan;
- “Identify, upstream, certain service providers and experts that a registrant must call upon in the event of a cybernetic incident”; and
- Carry out a “tabletop” exercise.
Roisman also expressed support for continued enforcement action and his belief that the SEC should “consider rules that provide registrants – particularly investment advisers and public issuers – with a better sense of what we expect. of them in today’s market”, especially regarding infringement notification. .
In addition to all of this, the NAIC is establishing a new Innovation, Cybersecurity, and Technology (H) Committee, including a Cybersecurity (H) Task Force. A draft of the tasks of the working group includes:
- Monitor cybersecurity trends that may affect the insurance industry;
- Advice on the development of cybersecurity training for state insurance regulators;
- Promote communication between state insurance departments regarding cybersecurity risks and events;
- Oversee the development of a cybersecurity regulatory response guidance document to assist state insurance regulators in the investigation of insurance cyber occurrences;
- Coordinate the cybersecurity work of the NAIC committee between working groups;
- Work with the Center for Insurance Policy and Research to analyze information related to cybersecurity;
- Support state implementation efforts related to the passage of the Model Law on Insurance Data Security (#668); and
- Collaborate with federal and international supervisors and agencies on cybersecurity risk management and assessment.
With your shovels and your salts, the forecasts promise to be icy.