Cybersecurity Indiana Department of Insurance Financial Services Division - PowerPoint Presentation

Cybersecurity Indiana Department of Insurance Financial Services Division Impact on Regulatory Examinations Jerry Ehlers Examinations Manager Indiana Department of Insurance October 25, 2018

Topics How Did We Get Here? NAIC Principles For Effective Cybersecurity NAIC Model Audit Rule Impact on Insurance Examinations Other Regulatory Considerations

How Did We Get Here? Guidance Considered For Current and Previous Information Technology Examinations NAIC Financial Condition Examiners Handbook CoBIT (Control Objectives for Information Technology: www.isaca.org ) Domains Align, Plan, and Organize (APO) Build, Acquire, and Implement (BAI) Deliver, Service, and Support (DSS) Monitor, Evaluate, and Assess (MEA) HIPAA (Health Insurance Portability and Accountability Act) PCI (Payment Card Industry) AICPA SSAE 16 SOC I or SOC II; Type II (Replaced in 2017 by SSAE 18) NIST (National Institute of Standards and Technology): Framework for Improving Critical Infrastructure Cybersecurity ( www.NIST.org ) Core Functions Identify Protect Detect Respond Recover

How Did We Get Here? Significant 2015 Insurance Company Security Breaches Identified Anthem 78.8 million recordsPremera Blue Cross 11 million records Excellus 10 million records

How Did We Get Here? NAIC’s Response To Emerging Cybersecurity Threats 2014Created Cybersecurity Task Force 2015 Issued Principles for Effective Cybersecurity 2017 Adopted Insurance Data Security Model Audit Law South Carolina: Adopted May 3, 2018; Effective January 1, 2019; Fully Implemented by July 1, 2020 NAIC Anticipates Majority of States Approve over Next 3 Years

Principles for Effective CyberSecurity Principle 1 – Personally Identifiable Consumer Information Protected from Cybersecurity Risks State insurance regulators have a responsibility to ensure that personally identifiable consumer information held by insurers, producers and other regulated entities is protected from cybersecurity risks. Additionally, state insurance regulators should mandate that these entities have systems in place to alert consumers in a timely manner in the event of a cybersecurity breach. State insurance regulators should collaborate with insurers, insurance producers and the federal government to achieve a consistent, coordinated approach.

Principles for Effective CyberSecurity Principle 2 – Personally Identifiable Consumer Information Data Appropriately Safeguarded When Stored or Transmitted Confidential and/or personally identifiable consumer information data that is collected, stored and transferred inside or outside of an insurer’s, insurance producer’s or other regulated entity’s network should be appropriately safeguarded.

Principles for Effective CyberSecurity Principle 3 – State Regulators Responsibility To Protect Information Collected, Stored, And Transferred State insurance regulators have a responsibility to protect information that is collected, stored and transferred inside or outside of an insurance department or at the NAIC. This information includes insurers’ or insurance producers’ confidential information, as well as personally identifiable consumer information. In the event of a breach, those affected should be alerted in a timely manner.

Principles for Effective CyberSecurity Principle 4 – Cybersecurity Regulatory Guidance Consistent With Nationally Recognized Frameworks Cybersecurity regulatory guidance for insurers and insurance producers must be flexible, scalable, practical and consistent with nationally recognized efforts such as those embodied in the National Institute of Standards and Technology (NIST) framework.

Principles for Effective CyberSecurity Principle 5 – Regulatory Guidance Must Be Risk Based And Consider Resources of Insurer Or Producers Regulatory guidance must be risk-based and must consider the resources of the insurer or insurance producer, with the caveat that a minimum set of cybersecurity standards must be in place for all insurers and insurance producers that are physically connected to the Internet and/or other public data networks, regardless of size and scope of operations.

Principles for Effective CyberSecurity Principle 6 – State Regulatory Oversight Including Examinations State insurance regulators should provide appropriate regulatory oversight, which includes, but is not limited to, conducting risk-based financial examinations and/or market conduct examinations regarding cybersecurity.

Principles for Effective CyberSecurity Principle 7 – Incident Response PlanningPlanning for incident response by insurers, insurance producers, other regulated entities and state insurance regulators is an essential component to an effective cybersecurity program.

Principles for Effective CyberSecurity Principle 8 – Oversight Of Third Parties And Service Providers Insurers, insurance producers, other regulated entities and state insurance regulators should take appropriate steps to ensure that third parties and service providers have controls in place to protect personally identifiable information.

Principles for Effective CyberSecurity Principle 9 – Cybersecurity Risks Included In Enterprise Risk Management Process Cybersecurity risks should be incorporated and addressed as part of an insurer’s or an insurance producer’s enterprise risk management (ERM) process. Cybersecurity transcends the information technology department and must include all facets of an organization.

Principles for Effective CyberSecurity Principle 10 – Cybersecurity Related Material Risk Findings Identified By Internal Audit Are Presented and Reviewed By The Board or Board Committee Information technology internal audit findings that present a material risk to an insurer should be reviewed with the insurer’s board of directors or appropriate committee thereof.

Principles for Effective CyberSecurity Principle 11 – Use Of Information Sharing And Analysis Organization It is essential for insurers and insurance producers to use an information-sharing and analysis organization (ISAO) to share information and stay informed regarding emerging threats or vulnerabilities, as well as physical threat intelligence analysis and sharing. (National Council of ISACs: www.nationalisacs.org/member-isacs)

Principles for Effective CyberSecurity Principle 12 – Training Regarding Cybersecurity Issues Periodic and timely training, paired with an assessment, for employees of insurers and insurance producers, as well as other regulated entities and other third parties, regarding cybersecurity issues is essential.

Model Audit Rule Approved October 24, 2017 The model law progressed through the NAIC Innovation and Technology (EX) Task Force   and the Cybersecurity (EX) Working Group  during the NAIC's Summer 2017 National Meeting. The working group solicited input from regulators as well as industry and consumer representatives throughout the drafting process .

Model Audit Rule Key Definitions “Consumer” means an individual, including but not limited to applicants, policyholders, insureds, beneficiaries, claimants, and certificate holders who is a resident of this State and whose Nonpublic Information is in a Licensee’s possession, custody, or control . “ Cybersecurity Event” means an event resulting in unauthorized access to, disruption or misuse of, an Information System or information stored on such Information System . “Nonpublic Information” Business related information the tampering with witch, unauthorized disclosure, access or use of which would cause material adverse impact to the business, operations or security of the Licensee. Can be used to identify a Consumer in combination with one or more of the following elements that include social security number, drivers license number, account number, credit or debit card number, security code including password or access code, biometric records, Any information or data, except age or gender derived from a health care provider that includes medical records for past present and future physical, mental, or behavioral conditions, provision of health care to Consumer, or payment for provision of health care to any Consumer.

Model Audit Rule Key Requirements Implement a formal information security programPerform periodic risk assessments Implement procedures to restrict access, protect data systems integrity, and test or monitor systems Oversight by Board of Directors including mandating reporting of cybersecurity status and events to the Board Oversight of third party service providers Investigate data breaches and notify the insurance commissioner, if warranted Note: Notification required if Licensee believes that Nonpublic Information involved is of 250 or more Consumers residing in the State

Model Audit Rule Implement Formal Information Security Program Objectives: Protect the security and confidentiality of Nonpublic Information and the security of the Information System; Protect against any threats or hazards to the security or integrity of Nonpublic Information and the Information System; Protect against unauthorized access to or use of Nonpublic Information, and minimize the likelihood of harm to any Consumer; and Define and periodically reevaluate a schedule for retention of Nonpublic Information and a mechanism for its destruction when no longer needed.

Model Audit Rule Perform Periodic Risk Assessment Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of the Nonpublic Information;Employee training and management; Detecting, preventing, and responding to attacks, intrusions, or other systems failures; and Implement information safeguards to manage the threats identified in its ongoing assessment, and no less than annually, assess the effectiveness of the safeguards’ key controls, systems, and procedures.

Model Audit Rule Design and Implement Risk Management Procedures Design and implement procedures to restrict access, protect data systems integrity , and test and monitor systems Stay informed of emerging threats and/or vulnerabilities Provide personnel with cybersecurity awareness training

Model Audit Rule Oversight By Board Of Directors Require the Licensee’s executive management or its delegates to report in writing at least annually, the following information : The overall status of the Information Security Program and the Licensee’s compliance with this Act; and Material matters related to the Information Security Program, addressing issues such as risk assessment, risk management and control decisions, Third-Party Service Provider arrangements, results of testing, Cybersecurity Events or violations and management’s responses thereto, and recommendations for changes in the Information Security Program.

Model Audit Rule Oversight Of Third Party Service Provider Arrangements A Licensee shall exercise due diligence in selecting its Third-Party Service Provider; and A Licensee shall require a Third-Party Service Provider to implement appropriate administrative, technical, and physical measures to protect and secure the Information Systems and Nonpublic Information that are accessible to, or held by, the Third-Party Service Provider.

Model Audit Rule Implement Incident Response Plan Incident Response Plan shall address the following areas: The internal process for responding to a Cybersecurity Event; The goals of the incident response plan; The definition of clear roles, responsibilities and levels of decision making authority; External and internal communications and information sharing; Identification of requirements for the remediation of any identified weaknesses in Information Systems and associated controls; Documentation and reporting regarding Cybersecurity Events and related incident response activities; and The evaluation and revision as necessary of the incident response plan following a Cybersecurity Event.

Model Audit Rule Annual Certification to Commissioner Annually, each insurer domiciled in this State shall submit to the Commissioner, a written statement by February 15, certifying that the insurer is in compliance with the requirements Each insurer shall maintain for examination by the Department all records, schedules and data supporting this certificate for a period of five years To the extent an insurer has identified areas, systems, or processes that require material improvement, updating or redesign, the insurer shall document the identification and the remedial efforts planned and underway to address such areas, systems or processes. Such documentation must be available for inspection by the Commissioner

Model Audit Rule Investigation of a Cybersecurity Event If the Licensee learns that a Cybersecurity Event has or may have occurred the Licensee or an outside vendor and/or service provider designated to act on behalf of the Licensee, shall conduct a prompt investigation that includes: Determine whether a Cybersecurity Event has occurred; Assess the nature and scope of the Cybersecurity Event; Identify any Nonpublic Information that may have been involved in the Cybersecurity Event; and Perform or oversee reasonable measures to restore the security of the Information Systems compromised in the Cybersecurity Event in order to prevent further unauthorized acquisition, release or use of Nonpublic Information in the Licensee’s possession, custody or control.

Model Audit Rule Notification of Cybersecurity Event to the Commissioner Notification to the Commissioner Each Licensee shall notify the Commissioner as promptly as possible but in no event later than 72 hours from a determination that a Cybersecurity Event that includes: Date of the Cybersecurity Event; Description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of Third-Party Service Providers, if any; How the Cybersecurity Event was discovered; Whether any lost, stolen, or breached information has been recovered and if so, how this was done; The identity of the source of the Cybersecurity Event; Whether Licensee has filed a police report or has notified any regulatory, government or law enforcement agencies and, if so, when such notification was provided; Description of the specific types of information acquired without authorization. Specific types of information means particular data elements including, for example, types of medical information, types of financial information or types of information allowing identification of the Consumer;

Model Audit Rule Notification of Cybersecurity Event to the Commissioner (Continued) The period during which the Information System was compromised by the Cybersecurity Event; The number of total Consumers in this State affected by the Cybersecurity Event. The Licensee shall provide the best estimate in the initial report to the Commissioner and update this estimate with each subsequent report to the Commissioner pursuant to this section; The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed; Description of efforts being undertaken to remediate the situation which permitted the Cybersecurity Event to occur; A copy of the Licensee’s privacy policy and a statement outlining the steps the Licensee will take to investigate and notify Consumers affected by the Cybersecurity Event; and Insurance Data Security Model Law 668-10 © 2017 National Association of Insurance Commissioners; and Name of a contact person who is both familiar with the Cybersecurity Event and authorized to act for the Licensee.

Model Audit Rule Notification of Cybersecurity Event to Consumers Licensee shall comply with and provide a copy of the notice sent to Consumers under that statute to the Commissioner, when a Licensee is required to notify the Commissioner.

Model Audit Rule Notification of Cybersecurity Event to Reinsurers In the case of a Cybersecurity Event involving Nonpublic Information that is used by the Licensee that is acting as an assuming insurer or in the possession, custody or control of a Licensee that is acting as an assuming insurer and that does not have a direct contractual relationship with the affected Consumers, the assuming insurer shall notify its affected ceding insurers and the Commissioner of its state of domicile within 72 hours of making the determination that a Cybersecurity Event has occurred.

Model Audit Rule Power of the Commissioner The Commissioner shall have power to examine and investigate into the affairs of any Licensee to determine whether the Licensee has been or is engaged in any conduct in violation of this Act. This power is in addition to the powers which the Commissioner has under. Any such investigation or examination shall be conducted pursuant to Whenever the Commissioner has reason to believe that a Licensee has been or is engaged in conduct in this State which violates this Act, the Commissioner may take action that is necessary or appropriate to enforce the provisions of this Act.

Model Audit Rule Exceptions To The Act A Licensee with fewer than ten employees, including any independent contractors, is exempt from Section 4 of this Act; A Licensee subject to Pub.L. 104–191, 110 Stat. 1936, enacted August 21, 1996 (Health Insurance Portability and Accountability Act) that has established and maintains an Information Security Program pursuant to such statutes, rules, regulations, procedures or guidelines established thereunder, will be considered to meet the requirements provided that Licensee is compliant with, and submits a written statement certifying its compliance with, the same.

Impact on Insurance Examinations NAIC Financial Condition Examiners Handbook NAIC Information Technology Working Group is proposing new procedures to incorporate changes as guidance for IT Work Plan in the Financial Condition Examiners Handbook.

Other Regulatory considerations Other Regulations That Could Impact Insurance Companies And Their Examinations General Data Protection Regulation (GDPR) by the European Union Impact on international i nsurance c ompanies Probably the most comprehensive and complex data regulation in the world Effective May 25, 2018 Individual state regulations strengthening cybersecurity and privacy laws New York (NYDFS 23 NYCRR 500) Covered entities required to be in compliance effective March 1, 2019 California – The California C onsumer Privacy Act of 2018 – Effective January 1, 2020.

Reference Sources Sources for Presentation NAIC Principles for Effective Cybersecurity: Insurance Regulatory Guidance https://www.naic.org/documents/committees_ex_cybersecurity_tf_final_principles_for_cybersecurity_guidance.pdf   NAIC Insurance Data Model Security Law https://www.naic.org/store/free/MDL-668.pdf   NYDFS: 23 NYCRR 500 Cybersecurity Requirements for Financial Services Companies https://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf   California Privacy Law ( AB-375 Privacy: personal information: businesses) https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375   General Data Protection Regulation 2016/679 https://publications.europa.eu/en/publication-detail/-/publication/3e485e15-11bd-11e6-ba9a-01aa75ed71a1/language-en

THANK YOU Jerry EhlersExaminations ManagerIndiana Department of Insurance 317 232-2408 jehlers@idoi.in.gov www.in.gov/idoi