Cybersecurity, Insurers, and the Department: What You Need to Know - - PowerPoint PPT Presentation

Office of Chief Counsel | www.insurance.pa.gov

Cybersecurity, Insurers, and the Department: What You Need to Know

John J. Lacek IV, Esq. Department Counsel Chair – Cybersecurity Incident Response Task Force

A Growing Threat and Growing Awareness

Office of Chief Counsel | www.insurance.pa.gov

• Cybersecurity threats emerged as one of the top threats to

corporations in the early part of the decade

• 2013 Target Breach – 100 million individuals exposed
• 2014 JP Morgan Chase Breach – 83 million accounts

exposed

• 2015 Anthem Insurance breach
• 78.8 million customers exposed
• Names, birthdays, social security numbers, addresses

and email accounts

• $260 million in remediation costs
• $115 million to settle litigation

The Threats Proliferated

Office of Chief Counsel | www.insurance.pa.gov

• 2015 Premera Blue Cross breach
• 11 million customer records compromised
• 2018 – Bankers Life breach
• 566,217 insureds impacted
• 2018 – Independence Blue Cross breach
• 17,000 members impacted
• 2019 – First American Title
• Over 885 million records potentially exposed
• Records went as far back as 2003
• Social Security numbers, dates of birth, mailing

addresses, account numbers, tax documents, and driver licenses

A Continued Threat

Office of Chief Counsel | www.insurance.pa.gov

• Over 53,308 security incidents in 2018
• 2,216 data breaches
• 598 security incidents in the financial services sector
• 146 data breaches in the financial services sector
• 87% of attacks in 2018 took merely minutes to

compromise a system

• 68% of attacks in 2018 took months or longer to

discover

More than Mere Data Breaches

Office of Chief Counsel | www.insurance.pa.gov

• Numerous types of incidents may be classified as a

cybersecurity incident

• Simple hacking
• Phishing
• Malware
• Ransomware
• Brute force attacks
• Denial of service attacks
• Privilege misuse
• Physical infrastructure attacks

The Internet of Things – A Dangerous Playground

Office of Chief Counsel | www.insurance.pa.gov

As IoT technology becomes more ubiquitous, so to do the cybersecurity implications

• Cell phones
• Smart watches
• MiSafes child tracking smartwatches
• Smart speakers
• Hack via audio files
• Smart televisions
• Security Cameras
• Party lamed for the 2016 Syn DDoS attack

What Authority does the Department Have?

Office of Chief Counsel | www.insurance.pa.gov

31 Pa. Code Chapter 146c – Standard for Safeguarding Customer Information

• Requires licensees to have a comprehensive written

security program

• Requires licensees to assess their risk
• Requires licensees to train staff to implements the security

program

• Requires licensees to regulatory test or monitor key

controls, systems and procedures

• Requires licensees to use due diligence when selecting

service providers and requires services providers to implement measures designed to meet the objectives of the security program

31 Pa. Code Chapter 146c

Office of Chief Counsel | www.insurance.pa.gov

• A violation of the Chapter is deemed to be an Unfair

Insurance Practice

• Revocation of license
• Injunction
• $5,000 civil penalty
• Avoidance of liability for service providers
• If the licensee has reason to know that a service

provider is engaging in a patter of activity which violates this chapter, a licensee will be liable unless:

• The licensee terminates the contract, if

feasible, or

• If not feasible, the licensee notifies the

Department

What has the Department Done?

Office of Chief Counsel | www.insurance.pa.gov

• Early 2017 – Formed a working group to study the matter
• Studied case studies
• Reached out to experts in the field
• Drafted recommendations
• Late 2017 – Formed the first iteration of the Cybersecurity

Incident Response Task Force

• Composed of a small group of Department experts
• Developed processes and procedures for handling a

cybersecurity incident

• Early 2018 – Task Force goes live
• January 24, 2018 – first incident handled by the Task

Force

What has the Department Done?

Office of Chief Counsel | www.insurance.pa.gov

• Mid 2018 – The Task Force conducted an internal review
• f its handling of its first reported incident
• Critical evaluation of goals and results
• Culminated in a report and recommendations
• Late 2018 – New Task Force created
• Comprised of a larger group of Department program

areas

• Provided more flexibility in the processes and

procedures to be used

• Greater Department-wide communication while

ensuring confidentiality and restrictions on access to information

Current Task Force

Office of Chief Counsel | www.insurance.pa.gov

The Task Force is currently comprised on numerous Department program areas

• Market Conduct
• Financial Examinations
• Financial Analysis
• Consumer Services
• Legal
• Press
• Policy
• Legislative
• Information Systems
• Executive

Task Force Goals

Office of Chief Counsel | www.insurance.pa.gov

• Serve as the primary liaison between an entity

experiencing a cybersecurity incident

• Ensure proper remedial actions are taken to ensure

consumer protections and licensee integrity

• Provider licensee's with support and advice in dealing

with and remediating a cybersecurity incident

• Cooperate with industry to better facilitate

communication regarding cybersecurity issues

• Continually evaluate and refine processes to deal with

licensees who have experienced a cybersecurity incident

Task Force Expectations

Office of Chief Counsel | www.insurance.pa.gov

• Prompt report of a cybersecurity incident to the Task Force
• Incidents when PII was possibly compromised
• Incidents which may effect the operations of a licensee
• Cooperation with the Task Force in developing an

understanding of the incident

• Licensees taking appropriate action to remediate potential

harm

• Notice of consumers
• Forensic analysis of incident
• Remedial security actions
• Reporting to relevant authorities
• Law enforcement
• Other regulatory bodies

When Should I Report?

Office of Chief Counsel | www.insurance.pa.gov

• Discretion is left to the licensee, but a few considerations

should guide this decision:

• Was PII exposed?
• Did the incident impact operations?
• Financial examinations will look for cyber incidents
• The Department expects to know of an incident

before the general public

• The Department does not want to be taken by

surprise

What About Confidentiality?

Office of Chief Counsel | www.insurance.pa.gov

Pursuant to the Exam Law and Holding Company Act, all communications with the Task Force are held in strict confidence

• Not subject to Right-to-Know
• Not subject to subpoena
• No waiver of privilege
• Access to information is limited to Department

employees with a need to know

Office of Chief Counsel | www.insurance.pa.gov

NAIC Insurance Data Security Model Law

State Adoption

Office of Chief Counsel | www.insurance.pa.gov

What Does the Model Do?

Office of Chief Counsel | www.insurance.pa.gov

The Model contains four key components

• Cybersecurity Program
• Investigation of Cybersecurity Incidents
• Notification requirement
• Examination authority

Cybersecurity Program

Office of Chief Counsel | www.insurance.pa.gov

• Requires licensees to conduct risk assessments
• Requires licensees to create a cybersecurity program

based on the risk assessment

• Allows licensees flexibility in how to implement their

cybersecurity program

• Program should be commensurate with the size

and sophistication of the licensee

• No prescriptive requirements
• Requires licensees to develop an incident response

plan

Investigation of Cybersecurity Incident

Office of Chief Counsel | www.insurance.pa.gov

• Requires a licensee to conduct an internal investigation of any

cybersecurity incident

• Mandates that licensees, to the greatest extent possible, must

be able to identify certain information

• Assess the nature and scope of the Cybersecurity event
• Identify the PII, if any, which was involved
• Date of the event
• How the event was discovered
• The period during which the system was compromised
• How the information was exposed or compromised
• The source of the Cybersecurity event

Notification

Office of Chief Counsel | www.insurance.pa.gov

• Requires a licenses to notify the Department

within 72 hours of the discovery of a cybersecurity event

• Require notice to insureds pursuant to state

notification laws (73 P.S. § 2302 – “without reasonable delay”)

• Requires licensees to notify producers of record
• Notice of reinsurers to insurers and vice versa

Examination Authority

Office of Chief Counsel | www.insurance.pa.gov

• Provides the Department with explicit authority to examine

licensee’s cybersecurity programs

• Provides the Department with explicit authority to

investigate cybersecurity incidents

• Proscribes penalties and remedial actions

General Data Protection Regulation (GDPR)

Office of Chief Counsel | www.insurance.pa.gov

Key Provisions

Office of Chief Counsel | www.insurance.pa.gov

• Territorial application - applies to any company processing data of

subjects residing in the EU, regardless of the companies location

• Consent to use cookies – consent requests must be in plain language,

can no longer use long legal terms and conditions

• Right to be forgotten – allows individuals to require companies to remove

data which is no longer relevant to the original collection purpose or which the subject has withdrawn consent for. Companies must judge the request for removal against the public interest in availability of the data

• Right to access – individuals have the right to request from a company

what data it maintains about the individual and request a copy of said data, free of charge

• Companies may be fined up to 4% of annual global revenue or €20

million, whichever is greater

Office of Chief Counsel | www.insurance.pa.gov

Thank you