Insuranceciooutlook

Maneuvering IT Strategies Through Cybersecurity Regulations

By Steve Bridges, SVP, Cyber/E&O Practice, JLT Specialty USA

Steve Bridges, SVP, Cyber/E&O Practice, JLT Specialty USA

Cyber threats to a company’s networks, systems, and data have long been among the chief concerns of CIOs and others responsible for leading an organization’s IT strategy. Enterprise decisions around information technology require a balance of efficacy, cost, and security as well as multiple additional considerations specific to an organization’s mission, industry, and customer base.

“Almost every industry now has a specific set of guidelines and suggested best practices.”

In certain industries, regulatory concerns have long been an addition to this list. For instance, the healthcare industry has been dealing with data privacy issues since the 1996 enactment of the Health Insurance Portability and Accountability Act (HIPAA). However, over the past couple of years, government regulation of cyber issues has rapidly grown in the United States, with countless federal agencies weighing in with advice, rules, and regulations for their designated industries, along with guidance and enforcement from agencies with more expansive missions like the Securities Exchange Commission (SEC) and the Federal Trade Commission (FTC). This trend is likely to accelerate, so CIOs will increasingly need to contemplate the regulatory environment as they create and implement IT strategies. 

"Almost every industry now has a specific set of guidelines and suggested best practices"

Government intervention and regulation was arguably inevitable, as the digital transformation of our economy has led to increased reliance on networks and the utilization of large amounts of data, often times including, personal data. Two factors appear to be driving the growth of these regulatory schemes. First, the alarming and disruptive threat of cyber attacks to the nation’s infrastructure and economy has spurred government action that seeks to promote cyber security standards in an effort to help key industries prevent these incidents and mitigateany resulting damages. Second, consumer concerns about the protection and privacy of personal information continues to be an area of government focus.

The breadth of regulation is stunning. Almost every industry now has a specific set of guidelines and suggested best practices. In addition, SEC rules, FTC review, state notification laws and National Institute of Standards and Technology (NIST) cybersecurity standards can apply to many enterprises, regardless of industry. Finally, CIOs with international operations will need to understand the European Union Data Protection and Network Information Security Directives and other similar rules.

Three industries which hold large amounts of consumer data—health care, financial institutions and retailers—are heavily regulated. Healthcare entities have long been subject to HIPAA and HiTech rules, with significant enforcement activity by the Office of Civil Rights (OCR). The financial industry is subject to the Gramm-Leach-Bliley Act and the New York Department of Financial Services Cybersecurity Regulatory Framework Proposal, among others. And retailers must deal with Payment Card Industry rules, including the new EMV credit card payment standards.

But other industries are facing similar regulatory oversight. A good example ismedical device manufacturers, who are now subject to draft guidance from the Food and Drug Administration that outlines actions needed to protect patient data. It is expected that automobile manufacturers will face a similar approach from the National Highway Traffic Safety Administration.

In addition, many industries are self-regulated by quasi-governmental organizations that set standards and govern activities within an industry sector. For example, the Financial Industry Regulatory Authority (FINRA) issued its 2015 Report on Cybersecurity Practices which provided guidance to financial advisors and broker-dealers with respect to their cybersecurity programs. Similarly, the North American Electric Reliability Corporation, which oversees the electric utility system, has instituted the CIP (Critical Infrastructure Protection) standards for North American utilities, and the National Association of Insurance Commissioners has published its list of cybersecurity best practices for insurance regulators and companies.

Finally, companies that provide services to these regulated industries are often subject to the same rules and/or are contractually or civilly liable for damages, including fines and penalties, arising out of cybersecurity incidents that impact their clients. For example, technology companies, including hosting companies, call centers, payment processors, and others that hold protected health information for a hospital system, may be covered entities or business associates under HIPAA, and subject to the same rules, including the possibility of an OCR fine, as the hospital. These types of scenarios play out across a variety of industries , as a result, we are starting to see contractual requirements that call for the vendor to maintain security standards appropriate to their client’s industry.

Two federal agency regulatory initiatives merit special discussion, as they demonstrate both the breadth of regulation and a potential safe harbor. First, under its broad “consumer protection” mandate, the FTC has been very active in filing and settling “unfair trade practices” claims in which cybersecurity practices were alleged to be faulty. This authority to investigate cyber practices and incidents across industries was recently confirmed in the courts, and it is expected that the FTC will increasingly exercise its powers in this area.

Second, and on a more positive note, the NIST Cybersecurity Framework, while voluntary, does provide a set of leading security practices from various standards bodies that many experts view to be appropriate. Adopting the Framework can certainly improve a company’s cybersecurity profile, but may also prove valuable with regulatory compliance and liability protection. When faced with an FTC action or data breach litigation alleging negligence, the fact that an organization has implemented the NIST standards may counter the FTC charge or serve as a very valuable “best practices” defense in the court room.

One result of all of these laws, regulations, and guidelines is an environment where regulators believe they have a duty to investigate and where the “stick” of fines and penalties is increasingly being utilized. As noted previously, many agencies have the ability to investigate and fine enterprises due to a cyber incident. Following a data breach, for example, it is common for state attorney generals and, depending upon the industry, the OCR, FTC, FCC, FINRA, and/or others to investigate and levy fines. A bit of good news is that cyber insurance policies, which are a key component to a robust cybersecurity program, can provide coverage for the costs to respond to a regulatory investigation and, in many cases,for fines and penalties.

History suggests that CIOs should expect the regulatory climate to become more complicated and increasingly penal. In today’s environment, maintaining a thorough understanding of the regulatory scheme that impacts your enterprise, in coordination with internal and external counsel, is both a challenge and a necessity.

Read Also

Big Data Enhancing Insurance Sector

Big Data Enhancing Insurance Sector

Jason Lichtenthal, SVP, CIO, PURE Group of Insurance Companies
The Growing Power of Data in Insurance Product Development

The Growing Power of Data in Insurance Product Development

Monique Hesseling, Partner, SMA Strategy Meets Action
The Sky is low the Clouds are Mean... Transformation through Technology

The Sky is low the Clouds are Mean... Transformation through Technology

Feroz Merchhiya, CTO, Director of Technology, CIGA
The Elements Of Impact: Lessons Learned From Insurer It Projects

The Elements Of Impact: Lessons Learned From Insurer It Projects

Matthew Josefowicz, President & CEO, Novarica