This past summer, The Council and the American Property Casualty Insurance Association finalized a model questionnaire that can be used by carriers to evaluate the potential cyber-security exposure posed by the agencies and brokerage firms with which they work.
The questionnaire also can be deployed more broadly and can be used, for example, by MGAs to evaluate the cyber-security protocols of their retail agency partners that may have access to their systems.
Carriers and other users of the new questionnaire may elect to add an addendum with more bespoke, customized questions that are specific to their platforms or cyber-security protocols. For respondents, though, the goal is to minimize their administrative burdens by enabling them to provide a standardized response to third-party service-provider (TPSP) questionnaires and to limit the need for tailored responses to any addenda they receive. This is in contrast to the current need to fill out each carrier questionnaire individually; Council members typically receive hundreds if not thousands of these individual requests, and they either have full-time personnel devoted to responding or have found ways to limit the information they are providing.
Finalizing the model questionnaire is the first step in The Council’s work with APCIA to develop a set of industry best practices (as in most efficient) for TPSP cyber-security oversight.
A Little History
On Feb. 16, 2017, the New York State Department of Financial Services (DFS) published the final version of its cyber-security rule, which requires any entity licensed under New York banking or insurance laws (referred to as “covered entities” under the rule) to establish and maintain specified cyber-security programs to protect their systems and data.
Earlier, in 2016, the National Association of Insurance Commissioners’ Cybersecurity Working Group had begun work on a similar initiative that resulted in the October 2017 adoption of the NAIC’s Insurance Data Security Model Law, which ultimately was based in large part on the New York rule.
To date, 21 states have enacted laws based on that NAIC model law—Alabama, Connecticut, Delaware, Hawaii, Indiana, Iowa, Kentucky, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, New Hampshire, North Dakota, Ohio, South Carolina, Tennessee, Vermont, Virginia and Wisconsin—and the strong expectation is that more states will follow suit when their state legislatures reconvene in 2023.
Both the New York rule and the NAIC model law include requirements that every covered entity ensure that its TPSPs have security measures in place to protect and secure the covered entity’s information systems and nonpublic information that are accessible to, or held by, their TPSPs. In part because all New York insurance licensees are directly subject to the New York rule and in part because their obligations under that rule vary based on their size and the magnitude of their New York related activities, the insurance industry originally read the New York TPSP requirements as applying only to a covered entity’s non-licensed TPSPs.
In a set of frequently asked questions issued in mid-2018, however, DFS dispelled that notion and affirmatively stated that a covered entity must subject all of its TPSPs to a full TPSP due diligence process, including TPSPs that themselves are licensees already subject to the cyber-security rule.
In so doing, DFS also went two steps further. First, it noted that a covered entity may need to impose additional cyber-security protocols on its licensed TPSPs in addition to whatever is required of them under the cyber-security rule to ensure its own systems and information are adequately protected.
Second, DFS “emphasize[d] the importance of a thorough due diligence process in evaluating the cybersecurity practices of a” TPSP. “Solely relying on the Certification of Compliance,” required of all New York licensees to demonstrate compliance with the New York cyber-security rule, “will not be adequate due diligence,” the department said. Covered entities instead “must assess the risks each TPSP poses to their data and systems and effectively address those risks.”
The New York TPSP due diligence edict resulted in many New York licensed carriers quickly issuing inquiries to their appointed agencies in an effort to demonstrate their own compliance. Some firms filled out the survey; some sent their own carefully calibrated statements that may or may not have been responsive to the inquiries; and others did nothing at all. And although to my knowledge we have seen nothing to date from the states that have enacted the NAIC model specifying mandatory due diligence with respect to their licensed TPSPs, it is not hard to imagine a ramping up of due diligence expectations in those (and other jurisdictions) as well.
In an effort to address the mounting concerns of both our broker members and our carrier partners, in 2019 The Council and APCIA launched a joint board-approved project designed to develop voluntary industry best practices for the assessment and monitoring of TPSPs’ cyber risk and cyber-security programs. The pandemic wrought havoc with our efforts on a number of fronts, but our member-driven working groups coalesced and finalized the model questionnaire, which was issued in August.
Going forward, we intend to convene our Council and APCIA working groups on a regular basis, as there is work that remains to be done.
First and foremost, the questionnaire will need to be updated from time to time to remain current by incorporating and responding to the inevitable legal and technological developments.
Our second goal is to develop standardized compliance protocols based on “bucketed” risk tiers for licensed TPSPs. Each covered entity would decide for itself into which tier each of its licensed TPSPs falls. The compliance requirements for each tier would be based in part on whether there are other risk factors based on the relationship between the licensee and its TPSP that warrant the imposition of additional cyber-security requirements and protocols beyond what may be regulatorily required.
For example, the compliance tiers for licensed TPSPs could look something like the following:
- High-Risk Tier: Specialized oversight protocol for state-regulated TPSPs.
For licensed TPSPs that the covered entity classifies as high/higher risk due to unique access to that entity’s data/systems; the nature or volume of the data held; and/or other criteria established by the covered entity, the covered entity could impose its own set of bespoke compliance requirements in addition to what is regulatorily required of the licensed TPSP.
- Medium-Risk Tier: Standard oversight protocol based on full compliance with a state’s cyber-security regulations.
For licensed TPSPs that the covered entity classifies as moderate, the compliance requirements could be limited to the full set of regulatory requirements.
- Low-Risk Tier: Oversight protocol based on compliance with some subset of a state’s cyber-security regulations.
For smaller licensed TPSPs that the covered entity classifies as low risk, compliance requirements could be limited to what is required by smaller entities under the applicable rules.
The third goal is to develop an oversight protocol for insurance industry TPSPs that are not licensees and therefore are not directly subject to a state’s cyber-security regulatory regime. Ideally, we would invite representatives of the non-regulated insurance TPSP community to participate in what would be, in essence, a standard-setting process.
Fourth and finally, coalescing around industry certification and verification standards that would allow some delegation of this oversight to other TPSPs could be very helpful in minimizing the overall administrative burdens associated with both demonstrating and effectuating the requisite compliance in this space.
There is a lot to be done. Now we just have to do it.