New York’s top financial regulator has asked some of the largest U.S. insurance companies to disclose details on their preparedness for cyber attacks, following a similar request to major banks earlier this year.
The New York State Department of Financial Services said it sent letters on Tuesday asking insurers whether they have faced any cyber attacks in the last three years, what safeguards they have put in place and how much money they have set aside for dealing with cyber issues.
“Insurance companies, in some cases sometimes more than banks, hold incredibly sensitive information of regular people,” said Ben Lawsky, New York’s superintendent of financial services, in an interview. “We’re trying to get ahead of a problem and focus here on an area that I think has been under-appreciated and maybe not focused on enough by regulators.”
In recent months, most of the attention around cyber security and the financial sector has focused on retail banks. A series of attacks rendered bank websites inaccessible for long stretches of time, and experts have said those incidents were more serious than people realize.
But in many ways, the $1.1 trillion U.S. insurance industry is just as vulnerable, given the reams of data that insurers have on their individual and corporate customers. Ironically, protection against such attacks is also one of the fastest-growing segments of the insurance industry.
One expert in cyber law said the rigor of the insurance underwriting process meant that insurers know details about lots of companies across a variety of industries – a candy store of sorts for hackers looking for ways to attack Corporate America.
“If I’m going to become your insurer, I want to make sure you are going to be a good risk. I need to strip apart your business,” said Richard Bortnick, a Philadelphia-based attorney.
Nearly three dozen insurers received the letters, which they are legally obliged to answer. Among the largest are health insurer Aetna; Warren Buffett’s conglomerate Berkshire Hathaway; life insurer MetLife; and property insurer Travelers.
Lawsky said there was no question insurers were already focusing on cyber attacks, but the department wanted to know how they prioritized that risk.
“I think some of the companies do a good job and some need to focus on it more,” he said.