|June 5, 2013|
Previously published on June 3, 2013
The State of New York has launched an investigation into the policies and procedures established by New York’s largest insurance companies to secure their electronic systems from unauthorized access. Through the use of so-called “308 Letters” issued by the New York Department of Financial Services (Department), these insurers must provide specific infomation, including:
- Information regarding any cyber-attacks in the past three years
- Cybersecurity safeguards that the insurer has in place
- Information technology management policies
- Amount of funds and other resources expended on cybersecurity
- Governance and internal controls related to cybersecurity.
In responding to a 308 Letter, the requirements of New York Insurance Regulation 173 should be considered. Regulation 173, promulgated in 2002, provides that insurers must implement a comprehensive written information security program (WISP), which must be adjusted as changes in technology and other specified circumstances warrant. Insurers responding to a 308 Letter may benefit from reviewing any materials developed in 2002 in response to Regulation 173.
In preparing responses to a 308 Letter, insurers and regulators need to consider the sensitivity of the information being sought and how this information could be misused by hackers. It will be important to satisfy regulators’ concerns by responding accurately and truthfully, while remaining mindful that detailed descriptions of cybersecurity measures, policies and procedures could provide would-be hackers with a road map, enhancing their ability to obtain the sensitive data that the insurer is protecting. Resolving these issues will be facilitated by thoughtful discussion between responding insurers and regulators, aided as needed by counsel and security consultants.
Relationships maintained by Wilson Elser’s Government Affairs practice, supplemented by the substantive skills of our Data Security & Cyber Liability practice can help clients walk this line - satisfying the Department’s needs, protecting sensitive information and positioning responding insurers carefully in the event that a breach happens after a 308 Letter response is provided. Experienced lawyers on these teams regularly work seamlessly together to help companies address regulatory issues stemming from data breaches and related issues. This skill set, in collaboration with companies’ existing expertise, can make a meaningful difference when responding to the 308 Letters.
Wilson Elser is positioned to assist our clients in communicating effectively with regulators in connection with 308 Letters. Notably, our Government Affairs team members have maintained a long-standing working relationship with the governor’s office, the Department and the New York State Legislature. Our relationships have resulted in our firm’s ranking by the Joint Commission on Public Ethics as the number one lobbying firm in the State of New York for the past 16 years. These relationships translate into a unique ability to assist insurers in responding to 308 Letters effectively and appropriately in a manner that protects sensitive information and our clients’ interests.
Our Data Security & Cyber Liability team has significant experience in assisting companies with cybersecurity preparedness and breach response, as well as defending companies in regulatory investigations and litigation stemming from data breaches. This experience permits us to provide insights to aid in crafting responses to 308 Letters, providing accurate information in a manner that can enhance the insurers’ position should a breach take place after 308 Letters have been submitted.