cybersecurity insurers and the department what you need
play

Cybersecurity, Insurers, and the Department: What You Need to Know - PowerPoint PPT Presentation

Mar 23, 2023 •270 likes •531 views

Cybersecurity, Insurers, and the Department: What You Need to Know John J. Lacek IV, Esq. Department Counsel Chair Cybersecurity Incident Response Task Force Office of Chief Counsel | www.insurance.pa.gov A Growing Threat and Growing

  1. Cybersecurity, Insurers, and the Department: What You Need to Know John J. Lacek IV, Esq. Department Counsel Chair – Cybersecurity Incident Response Task Force Office of Chief Counsel | www.insurance.pa.gov

  2. A Growing Threat and Growing Awareness • Cybersecurity threats emerged as one of the top threats to corporations in the early part of the decade • 2013 Target Breach – 100 million individuals exposed • 2014 JP Morgan Chase Breach – 83 million accounts exposed • 2015 Anthem Insurance breach • 78.8 million customers exposed • Names, birthdays, social security numbers, addresses and email accounts • $260 million in remediation costs • $115 million to settle litigation Office of Chief Counsel | www.insurance.pa.gov

  3. The Threats Proliferated • 2015 Premera Blue Cross breach • 11 million customer records compromised • 2018 – Bankers Life breach • 566,217 insureds impacted • 2018 – Independence Blue Cross breach • 17,000 members impacted • 2019 – First American Title • Over 885 million records potentially exposed • Records went as far back as 2003 • Social Security numbers, dates of birth, mailing addresses, account numbers, tax documents, and driver licenses Office of Chief Counsel | www.insurance.pa.gov

  4. A Continued Threat • Over 53,308 security incidents in 2018 • 2,216 data breaches • 598 security incidents in the financial services sector • 146 data breaches in the financial services sector • 87% of attacks in 2018 took merely minutes to compromise a system • 68% of attacks in 2018 took months or longer to discover Office of Chief Counsel | www.insurance.pa.gov

  5. More than Mere Data Breaches • Numerous types of incidents may be classified as a cybersecurity incident • Simple hacking • Phishing • Malware • Ransomware • Brute force attacks • Denial of service attacks • Privilege misuse • Physical infrastructure attacks Office of Chief Counsel | www.insurance.pa.gov

  6. The Internet of Things – A Dangerous Playground As IoT technology becomes more ubiquitous, so to do the cybersecurity implications • Cell phones • Smart watches • MiSafes child tracking smartwatches • Smart speakers • Hack via audio files • Smart televisions • Security Cameras • Party lamed for the 2016 Syn DDoS attack Office of Chief Counsel | www.insurance.pa.gov

  7. What Authority does the Department Have ? 31 Pa. Code Chapter 146c – Standard for Safeguarding Customer Information • Requires licensees to have a comprehensive written security program • Requires licensees to assess their risk • Requires licensees to train staff to implements the security program • Requires licensees to regulatory test or monitor key controls, systems and procedures • Requires licensees to use due diligence when selecting service providers and requires services providers to implement measures designed to meet the objectives of the security program Office of Chief Counsel | www.insurance.pa.gov

  8. 31 Pa. Code Chapter 146c • A violation of the Chapter is deemed to be an Unfair Insurance Practice • Revocation of license • Injunction • $5,000 civil penalty • Avoidance of liability for service providers • If the licensee has reason to know that a service provider is engaging in a patter of activity which violates this chapter, a licensee will be liable unless: • The licensee terminates the contract, if feasible, or • If not feasible, the licensee notifies the Department Office of Chief Counsel | www.insurance.pa.gov

  9. What has the Department Done? • Early 2017 – Formed a working group to study the matter • Studied case studies • Reached out to experts in the field • Drafted recommendations • Late 2017 – Formed the first iteration of the Cybersecurity Incident Response Task Force • Composed of a small group of Department experts • Developed processes and procedures for handling a cybersecurity incident • Early 2018 – Task Force goes live • January 24, 2018 – first incident handled by the Task Force Office of Chief Counsel | www.insurance.pa.gov

  10. What has the Department Done? • Mid 2018 – The Task Force conducted an internal review of its handling of its first reported incident • Critical evaluation of goals and results • Culminated in a report and recommendations • Late 2018 – New Task Force created • Comprised of a larger group of Department program areas • Provided more flexibility in the processes and procedures to be used • Greater Department-wide communication while ensuring confidentiality and restrictions on access to information Office of Chief Counsel | www.insurance.pa.gov

  11. Current Task Force The Task Force is currently comprised on numerous Department program areas • Market Conduct • Financial Examinations • Financial Analysis • Consumer Services • Legal • Press • Policy • Legislative • Information Systems • Executive Office of Chief Counsel | www.insurance.pa.gov

  12. Task Force Goals • Serve as the primary liaison between an entity experiencing a cybersecurity incident • Ensure proper remedial actions are taken to ensure consumer protections and licensee integrity • Provider licensee's with support and advice in dealing with and remediating a cybersecurity incident • Cooperate with industry to better facilitate communication regarding cybersecurity issues • Continually evaluate and refine processes to deal with licensees who have experienced a cybersecurity incident Office of Chief Counsel | www.insurance.pa.gov

  13. Task Force Expectations • Prompt report of a cybersecurity incident to the Task Force • Incidents when PII was possibly compromised • Incidents which may effect the operations of a licensee • Cooperation with the Task Force in developing an understanding of the incident • Licensees taking appropriate action to remediate potential harm • Notice of consumers • Forensic analysis of incident • Remedial security actions • Reporting to relevant authorities • Law enforcement • Other regulatory bodies Office of Chief Counsel | www.insurance.pa.gov

  14. When Should I Report? • Discretion is left to the licensee, but a few considerations should guide this decision: • Was PII exposed? • Did the incident impact operations? • Financial examinations will look for cyber incidents • The Department expects to know of an incident before the general public • The Department does not want to be taken by surprise Office of Chief Counsel | www.insurance.pa.gov

  15. What About Confidentiality? Pursuant to the Exam Law and Holding Company Act, all communications with the Task Force are held in strict confidence • Not subject to Right-to-Know • Not subject to subpoena • No waiver of privilege • Access to information is limited to Department employees with a need to know Office of Chief Counsel | www.insurance.pa.gov

  16. NAIC Insurance Data Security Model Law Office of Chief Counsel | www.insurance.pa.gov

  17. State Adoption Office of Chief Counsel | www.insurance.pa.gov

  18. What Does the Model Do? The Model contains four key components • Cybersecurity Program • Investigation of Cybersecurity Incidents • Notification requirement • Examination authority Office of Chief Counsel | www.insurance.pa.gov

  19. Cybersecurity Program • Requires licensees to conduct risk assessments • Requires licensees to create a cybersecurity program based on the risk assessment • Allows licensees flexibility in how to implement their cybersecurity program • Program should be commensurate with the size and sophistication of the licensee • No prescriptive requirements • Requires licensees to develop an incident response plan Office of Chief Counsel | www.insurance.pa.gov

  20. Investigation of Cybersecurity Incident • Requires a licensee to conduct an internal investigation of any cybersecurity incident • Mandates that licensees, to the greatest extent possible, must be able to identify certain information • Assess the nature and scope of the Cybersecurity event • Identify the PII, if any, which was involved • Date of the event • How the event was discovered • The period during which the system was compromised • How the information was exposed or compromised • The source of the Cybersecurity event Office of Chief Counsel | www.insurance.pa.gov

  21. Notification • Requires a licenses to notify the Department within 72 hours of the discovery of a cybersecurity event • Require notice to insureds pursuant to state notification laws (73 P.S. § 2302 – “without reasonable delay”) Requires licensees to notify producers of record • Notice of reinsurers to insurers and vice versa • Office of Chief Counsel | www.insurance.pa.gov

  22. Examination Authority • Provides the Department with explicit authority to examine licensee’s cybersecurity programs • Provides the Department with explicit authority to investigate cybersecurity incidents • Proscribes penalties and remedial actions Office of Chief Counsel | www.insurance.pa.gov

  23. General Data Protection Regulation (GDPR) Office of Chief Counsel | www.insurance.pa.gov

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity cybersecurity? William J. Perry Martin Casado Keith Coleman Dan Wendlandt MS&E 91SI Spring 2004 Stanford University U.S. National Cybersecurity

79 views • 7 slides
Insurers' Reporting Obligations Under Insurers Reporting Obligations Under Medicare Medicaid SCHIP

Insurers' Reporting Obligations Under Insurers Reporting Obligations Under Medicare Medicaid SCHIP

Presenting a live 90 minute webinar with interactive Q&A Insurers' Reporting Obligations Under Insurers Reporting Obligations Under Medicare Medicaid SCHIP Extension Act Complying with MMSEA Requirements for Non Group Health Plan Payers

638 views • 43 slides
Being Strategic about Cybersecurity Regional Cybersecurity Forum, 29-30 Nov 2016, Grand Hotel

Being Strategic about Cybersecurity Regional Cybersecurity Forum, 29-30 Nov 2016, Grand Hotel

Being Strategic about Cybersecurity Regional Cybersecurity Forum, 29-30 Nov 2016, Grand Hotel Sofia, Bulgaria Mr. Joaqun Castelln , Operational Director Spanish National Security Department Ms. Anita TIKOS , Desk Officer for International

197 views • 15 slides
Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives:

Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives:

Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives: Define Cybersecurity & why its important Provide information about Dept. Homeland Security Cybersecurity Campaigns: National

328 views • 22 slides
Cybersecurity research and education: Helping meet the high demand for cybersecurity experts

Cybersecurity research and education: Helping meet the high demand for cybersecurity experts

West Virginia University Cybersecurity research and education: Helping meet the high demand for cybersecurity experts Katerina Goseva-Popstojanova Professor Lane Department of Computer Science and Electrical Engineering (LCSEE) West

538 views • 21 slides
National Cybersecurity Workforce Framework Benjamin Scribner Department of Homeland Security

National Cybersecurity Workforce Framework Benjamin Scribner Department of Homeland Security

Federal Information Systems Security Educators March 19, 2014 National Cybersecurity Workforce Framework Benjamin Scribner Department of Homeland Security (DHS) National Cybersecurity Education & Awareness Branch (CE&A) T HE CYBER THREAT

315 views • 13 slides
Insurance Bad Faith: Pitfalls for Insurers in the Investigation of Coverage Claims Strategies for

Insurance Bad Faith: Pitfalls for Insurers in the Investigation of Coverage Claims Strategies for

Presenting a live 90-minute webinar with interactive Q&A Insurance Bad Faith: Pitfalls for Insurers in the Investigation of Coverage Claims Strategies for Insurers to Avoid or Mitigate Liability and Policyholders to Prove Bad Faith and

953 views • 72 slides
Cybersecurity A presentation to the National Association of Black Accountants Cleveland

Cybersecurity A presentation to the National Association of Black Accountants Cleveland

Cybersecurity A presentation to the National Association of Black Accountants Cleveland Chapter Contents Cybersecurity and risk management 1 Cybersecurity and the regulatory 2 environment Cybersecurity and the audit 3 4 Appendix

685 views • 37 slides
IAAHS COLLOQUIUM 2004 Session J IAS and Solvency for Health Insurers IAS and Solvency for Health

IAAHS COLLOQUIUM 2004 Session J IAS and Solvency for Health Insurers IAS and Solvency for Health

IAAHS COLLOQUIUM 2004 Session J IAS and Solvency for Health Insurers IAS and Solvency for Health Insurers 15.15 Overview: IASB Phase 1&2 / IAA and IAIS Proposals (David Paul) 15.30 Internal Models for Capital Assessment - UK Experience

147 views • 11 slides
allocations 5 April 2017, Dublin Cristina Mihai Contents 1 Who we are 2 Insurers as largest

allocations 5 April 2017, Dublin Cristina Mihai Contents 1 Who we are 2 Insurers as largest

Challenges and opportunities of policymaking for insurers asset allocations 5 April 2017, Dublin Cristina Mihai Contents 1 Who we are 2 Insurers as largest institutional investors 3 Regulation: focus on Solvency II 4 The EU

490 views • 28 slides
Overview of State Agency Cybersecurity Costs PRESENTED TO SENATE SELECT COMMITTEE ON

Overview of State Agency Cybersecurity Costs PRESENTED TO SENATE SELECT COMMITTEE ON

Overview of State Agency Cybersecurity Costs PRESENTED TO SENATE SELECT COMMITTEE ON CYBERSECURITY LEGISLATIVE BUDGET BOARD STAFF MARCH 21, 2018 Department of Information Resources The Texas Department of Information Resources (DIR) provides

591 views • 12 slides
Risk adjustments for life insurers Presentation to 2016 NZSA conference Ben Coulter, PwC Key

Risk adjustments for life insurers Presentation to 2016 NZSA conference Ben Coulter, PwC Key

Risk adjustments for life insurers Presentation to 2016 NZSA conference Ben Coulter, PwC Key changes for insurers A new name (IFRS 17 vs IFRS 4) Optional premium allocation approach (PAA) Level of aggregation Acquisition

374 views • 23 slides
KACo Cybersecurity Training KACo Cybersecurity Training Cybersecurity Threats Phishing

KACo Cybersecurity Training KACo Cybersecurity Training Cybersecurity Threats Phishing

7/17/2020 KACo Cybersecurity Training KACo Cybersecurity Training Cybersecurity Threats Phishing Attacks Malware/Ransomware Hacking Imposter Scams 1 7/17/2020 KACo Cybersecurity Training BEWARE OF Phishing Phishing attacks

248 views • 6 slides
DOD Clarifies Contractor Cybersecurity Certification Again By Amy Conant Hoang, Erica Bakies

DOD Clarifies Contractor Cybersecurity Certification Again By Amy Conant Hoang, Erica Bakies

DOD Clarifies Contractor Cybersecurity Certification Again By Amy Conant Hoang, Erica Bakies and Sarah Burgart On Dec. 12, the U.S. Department of Defense publicly released an updated draft of the Cybersecurity Maturity Model Certification, or

253 views • 4 slides
Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright

Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright

Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright CyberSecurity Scholar 4 September 2019 James Davenport Formal Methods and CyberSecurity CyberSecurity CyberSecurity failures abound: tens daily in the

212 views • 19 slides
Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright

Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright

Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright CyberSecurity Scholar 4 September 2018 James Davenport Formal Methods and CyberSecurity CyberSecurity CyberSecurity failures abound: tens daily in the

325 views • 18 slides
A P P L I C AT I O N S T H R O U G H A N AT TA C K E R S L E N S M I C H A E L C O AT E S

A P P L I C AT I O N S T H R O U G H A N AT TA C K E R S L E N S M I C H A E L C O AT E S

A P P L I C AT I O N S T H R O U G H A N AT TA C K E R S L E N S M I C H A E L C O AT E S , T R U S T & I N F O R M AT I O N S E C U R I T Y O F F I C E R @ _ M W C W H AT S G O I N G W R O N G Deconstructing Breaches

844 views • 55 slides
Steroids [root@tools ~]# whoami Martin (purehate) Bos Core Developer for Backtrack Linux

Steroids [root@tools ~]# whoami Martin (purehate) Bos Core Developer for Backtrack Linux

Password Cracking on Steroids [root@tools ~]# whoami Martin (purehate) Bos Core Developer for Backtrack Linux Owner of Computer Rehab Co-Founder Question-Defense Security Enthusiast [root@tools ~]# whoami Alex (dakykilla) Kah

392 views • 37 slides
CYBER SECURITY Nick Kervin Partner, IT Advisory August 2017 Page 1 CYBER SECURITY Overview

CYBER SECURITY Nick Kervin Partner, IT Advisory August 2017 Page 1 CYBER SECURITY Overview

CYBER SECURITY Nick Kervin Partner, IT Advisory August 2017 Page 1 CYBER SECURITY Overview 1. What is at risk? 2. Global industry trends 3. BDO/AusCERT survey 4. Recent cyber case studies 5. Cyber risk mitigation strategies Page

481 views • 35 slides
Cyber Security Xperience Group & Sophos https://player.vimeo.com/video

Cyber Security Xperience Group & Sophos https://player.vimeo.com/video

Cyber Security Xperience Group & Sophos https://player.vimeo.com/video /135044595?width=800&heigh t=450&iframe=true&portrait=0 Cybercrime Prevention Seminar Law Society - Belfast Dermot Hayden 12 th Oct 2018 Sophos Snapshot

469 views • 35 slides
Data and Financial Transactions Security - What You Need to Know, Now! Rick Diamond, VP, Agency

Data and Financial Transactions Security - What You Need to Know, Now! Rick Diamond, VP, Agency

Data and Financial Transactions Security - What You Need to Know, Now! Rick Diamond, VP, Agency I.T. Director, FNTG rick.diamond@fnf.com @rdiamondFNF Why are you doing this and why should you care? Not because the cfpb wants you to

730 views • 41 slides
Online auhthentication methods Evaluate the strength of online authentication methods

Online auhthentication methods Evaluate the strength of online authentication methods

Online auhthentication methods Evaluate the strength of online authentication methods Introduction Cornel de Jong S ystem and Network Engineering Universiteit van Amsterdam S upervisors: S pui 21 UvA: 1012WX Amsterdam Cees de

481 views • 34 slides
Ongoing Cyber Security Projects Salim Hariri, Director The University of Arizona

Ongoing Cyber Security Projects Salim Hariri, Director The University of Arizona

NSF Industry/University Cooperative Research (I/UCRC) Program Ongoing Cyber Security Projects Salim Hariri, Director The University of Arizona nsfcac.arizona.edu email: hariri@ece.arizona.edu (520) 977-7954 NSF IUCRC in US 2 75+ IUCRC

1.1k views • 65 slides
UsingLow-CostCryptographic HardwaretoRobaBank RichardClayton

UsingLow-CostCryptographic HardwaretoRobaBank RichardClayton

UsingLow-CostCryptographic HardwaretoRobaBank RichardClayton &MichaelBond

648 views • 33 slides

More recommend