Cybersecurity and Insurance Companies

Transcription

1 Cybersecurity and Insurance Companies ACLI Forum 500 CEO Leadership Retreat Timothy J. Nagle Vice President & Chief Privacy Counsel Prudential Financial 1 May 13, 2015

2 What is cybersecurity? Protecting sensitive data and maintaining network integrity Threat to proprietary information and personal information Combination of process, policy, training and technology Challenge for public and private sectors 2

3 Why Should I Care? Individual customers or institutional/corporate clients will assume it Corporate clients will ask for representations or assurances about it State insurance commissioners and attorneys general will require it Employees will want it Boards will ask about it (or will be advised to do so) The SEC and shareholders consider it part of corporate governance Your peers and the industry will address it 3

4 Pending Legislation H.R Cyber Intelligence Sharing and Protection Act (CISPA) H.R Cyber Privacy Fortification Act of 2015 S Data Security and Breach Notification Act of 2015 S The Cyber Threat Sharing Act of 2015 S H.R H.R.1704 H.R Cybersecurity Information Sharing Act of 2015 (CISA) The Data Security and Breach Notification Act Personal Data Notification and Protection Act Protecting Cyber Networks Act H.R.1731 National Cybersecurity Protection Advancement Act of 2015 H.R.2205 (no title to date) S.961 The Data Security Act of

5 Evolving Regulatory Guidance Securities and Exchange Commission CF Disclosure Guidance: Topic No. 2 (Cybersecurity), October 13, 2011 National Exam Program Risk Alert; OCIE Cybersecurity Initiative, April 15, 2014 Division of Investment Management; IM Guidance Update ( Cybersecurity Guidance ), April 2015 FINRA Report on Cybersecurity Practices (Feb 2015) Commodity Futures Trading Commission, CFTC Staff Advisory No ( Gramm-Leach-Bliley Act Security Safeguards ), Feb 26,

6 Evolving Regulatory Guidance (cont d) FBI Best Practices for Victim Response and Reporting of Cyber Incidents (April 2015) State of New York Division of Financial Services Report on Cyber Security in the Insurance Sector (February 2015) Update on Cyber Security in the Banking Sector: Third Party Service Providers (April 2015) NAIC Principles for Effective Cybersecurity: Insurance Regulatory Guidance (April 2015) OCC Bulletin : Third Party Relationships (October 30, 2013) 6

7 The Top Ten List The Things I Wish I Would Have Done Before This Breach Event Happened 1. Been involved in employee training and awareness. 2. Managed vendors regarding contract language for security standards, privacy policy, and event notice/coordination requirements. Been involved in employee training and awareness. 3. Established relationships with outside counsel and a forensic/incident response/technology firm. Preservation of attorney-client privilege Negotiate a master service agreement An event should result in two types of report 4. Inserted myself into the reporting and threat intelligence collection process. 5. Identified and introduced myself to representatives from trade/industry groups, regulators and law enforcement agencies for ongoing dialogue, information sharing and event coordination. 7

8 Nagle s Top Ten (cont d) 6. Developed, implemented, socialized and exercised the event response plan. What constitutes an event and who makes the call? Distinguished between a network security breach and unauthorized access to personal information. 7. Scripted internal and external communications and had them preapproved to the extent possible. 8. Established criteria for formal notification to customers, regulators, executive management/board and shareholders. 9. Designated who leads the investigation, response, remediation, notification and after phases and who maintains the record. 10. Prepared for what happens after the event regarding insurance claims litigations and remediation. 8

9 SIX Things Every Company (Large or Small) Should Have 1. Information security policy/program 2. Privacy policy 3. Incident/breach response process 4. Employee training and awareness 5. Vendor management program 6. Business continuity plan 9

10 Other Considerations 1. Cyber insurance 2. Briefing the Board 3. SEC disclosures and other reporting requirements 4. State privacy breach reporting 5. Red flags rules 6. Payment Card Industry Data Security Standards 10

11 Timothy J. Nagle Vice President and Chief Privacy Counsel Prudential Financial, Inc. 11