November 15, 2017
Recent cyber regulations including the New York District of Financial Services (NYDFS) Cybersecurity Rule, the EU’s General Data Protection Regulation (GDPR), and the recently adopted NAIC Cybersecurity Model Law, have initiated the conversation regarding cybersecurity legislation. Organizations are finding that compliance with these prescriptive laws are much easier to transition towards, versus building from scratch. The Council is closely monitoring these key cybersecurity regulations, all with potential implications on the insurance industry. In fact, according to The Councils Q3 Property Casualty Market Survey, cyber risk was the number one concern from brokers’ clients in Q3 2017.
Not only can compliance for such prescriptive regulation become extremely expensive, but executive management teams and the boardroom alike are becoming increasingly responsible for their organizations’ cybersecurity decisions. Thus, liability is an increasing motivator for implementing and maintaining a sound information security program.
Brokers house personally identifiable information (PII), health records, proprietary information and financial records on external organizations, making them a high target for cybercrime. It is now more important than ever for insurance brokerages to adopt a holistic security program built around four key components: prevention, detection, eradication and containment. However, a lack of cyber-expertise among executives and in the boardroom, according to experts, makes it challenging for them to effectively oversee management’s cybersecurity activities.
Prescriptive regulations similar to the NYDFS Cybersecurity Rule will follow in other states, and executives must become familiar with liabilities associated with cyber-risk. While regulation is certainly an incentive for cyber-preparedness, it is equally imperative that organizations begin assessing their cyber-posture before compliance is necessary.