Does your company place the same importance on cybersecurity that the federal government and state insurance regulators now do?
The United States government’s defense doctrine recognizes five domains in warfare, Gen. Michael V. Hayden told the National Association of Insurance Commissioners (NAIC) 2015 International Insurance Forum held in Washington DC. They are air, land, sea, space, and the newest of them all: cyber.
If the NAIC’s recent and startlingly rapid moves towards a cyber regulatory doctrine were not evidence enough of the recognition by US state insurance regulators of the importance and vulnerability of cyberspace, Hayden’s speech certainly was.
This was not so much for what he said, but for the simple fact that at a forum dedicated to international issues, a forum that has become a signature event for the NAIC, Hayden was the special featured speaker on the first day. Gen. Hayden is the former director of both the Central Intelligence Agency and the National Security Agency, so he knew of what he spoke. And what he had to say was not necessarily reassuring, calling financial services the American industry most vulnerable to a data-wiping attack.
Further evidencing the importance US state regulators attach to cybersecurity was the leadoff panel of the Forum, where the discussion topic was, “Cybersecurity: Protecting Consumers from Cyber Threats and Growth of the Cyber Insurance Marketplace.”
While the grammar may seem a little strained, the title does brilliantly encapsulate the dual concerns facing insurance regulators and industry. Cybersecurity is important because the cyber-marketplace is vital to the future of a thriving insurance industry. But, more than most industries, insurance depends on consumer trust, and the continued growth of the cyber-marketplace requires an always evolving response to always evolving threats.
“Cyber risk is one of the highest priorities for insurers, regulators, and consumers,” said South Carolina Department of Insurance Director Raymond Farmer, a panelist and Vice Chair of the NAIC Cybersecurity Task Force. Farmer said the task force is about to begin work on a consumer Bill of Rights that would include notification in the event of a breach.
This is one of many changes currently being undertaken by the NAIC. Other changes include a cybersecurity supplement to be added to the annual statement for property-casualty companies beginning in 2016, covering 2015. The NAIC is also looking to make improvements to the exam protocols to look at cybersecurity starting in 2016.
But important as these steps are, they do not diminish — in fact, they increase — the need for Chief Information Officers (CIOs) to work even harder to expand the alliances they form and extend awareness of the need for cybersecurity throughout their organizations.
CIOs know better than almost anyone else that cybersecurity is not just an IT issue. IT may be on the front lines, but everyone has to be involved in this war, where, to borrow a quote often misattributed to Thomas Jefferson, eternal vigilance is the price of liberty. Cybersecurity is an issue for the chief risk officer. It is an issue for the chief financial officer. It is an issue for the chief compliance officer. And if it is not already, it should be an issue for the chief marketing and sales officers.
Insurance companies have lots of data, data that few other industries even dare to dream about. In addition to the standard personally identifiable information such as name, Social Security number, credit card number, address, date of birth, favorite color, and so forth, an insurer may have information on diagnoses and treatments, on prognoses and potential concerns. An insurer may know if you have a burglar alarm system, and if you drive, the insurer may know where, when, and how fast.
If a consumer is not convinced that an insurer can keep this information confidential, how likely is that consumer to purchase that insurer’s product?
There are numerous legitimate questions about data use. As consumer advocate Birny Birnbaum told the conference, insurers have a collection of consumer data that may be “opaque to consumers,” providing consumers with limited ability to protect themselves. Some of that data, he observed, has no set shelf life. This may include Social Security numbers or medical info that may be used to target the elderly with specific medical conditions. For this data, he called the normal 1 -to 2-year credit monitoring period usually offered after a breach inadequate protection.
“Consumers need a greater understanding and control of insurers, collection and use of data,” said Birnbaum, executive director of the Center for Economic Justice, adding that consumers should have an opt-in right. Birnbaum said it was “essential for jurisdictions around the world to collaborate and cooperate on protecting consumer information.”
What exactly does that mean? What would it mean to US insurers if European standards — where consumer data is owned by the consumer — become the norm worldwide?
So we go back to preaching what we’ve said on numerous occasions this year: it is time for industry to come together to create that consumer Bill of Rights or we will have it created for us. It is no longer a question of if standards will be created, but when and by whom. Unless we want the loudest voices to triumph, industry needs to develop and agree on standards now, and begin widely educating consumers on how they are protected by these standards.
This is an opportunity for increased visibility for CIOs, who know better than almost anyone else that cybersecurity is not just an IT issue. But CIOs are also better positioned than almost anyone else to take the lead now in addressing it.
Why wait?
