3 Key Takeaways About the Latest Cyber Insurance Regulatory Trends in 2021
- Today, paying ransomware isn’t the only expense a company faces when a breach occurs.
- While the more than $500 million in regulatory fines and penalties that Equifax paid recently for cyber security breaches represent the upper end of the spectrum, companies are facing increased financial sanctions from regulators when their anemic cybersecurity allows breaches to occur.
- Additionally, regulators are enforcing HIPAA, and breaches are becoming more national in scope and financial exposure, rather than just statewide.
NetDiligence® President Mark Greisiger and Mullen Coughlin Partner Chris Dilenno discuss these takeaways and other aspects of today’s cyber insurance regulatory trends and enforcement. Read the synopsis below and watch the video for their entire interview.
The Expensive Trouble With Anemic Cybersecurity
MG: Chris, both NetDiligence and your firm, Mullen Coughlin, support the same cyber insurance community of underwriters, claims folks, risk managers, and brokers. Everyone talks about ransomware and security breaches, but no one really talks about the fines and penalties that state attorneys general impose when they find the company had anemic security that led or contributed to the breach. What is your team saying that can help keep our insurance partners up-to-date?
CD: What we think is interesting is the fines and penalties don’t get the same kind of airplay as ransomware or cybersecurity in general. But there’s a lot of activity going on with the regulators these days. The word I use to sum it up is MORE.
There are more regulators taking an active role in response to incident reporting and cyber security in general.
They are asking more questions, conducting more detailed investigations, and they’re conducting more investigations.
And it’s not just the same regulators like California, Indiana, New York, Florida, and Massachusetts. More regulators are joining the fray, including Colorado, New Jersey, Vermont, and Washington state. This [trend] is because the breaches themselves are often almost national in nature. The victims reside in many different states, not just the state where the company is based.
MG: That’s interesting. Are there any state AGs or enforcers you think are becoming leaders as far as enforcement goes?
CD: Yes. Indiana is becoming a leader. They consistently ask questions along the same lines of what we’ve seen in Colorado and New Jersey, where the attorneys general are enforcing HIPAA.
This trend is leading to significant investigations for HIPAA-covered entities like hospitals that experience a breach. While they’ve always been investigated by HHS [the U.S. Department of Health and Human Services] for any matter affecting 500 or more people, the state requirements also require notice to their attorneys general at the same time.
AGs are asking the same types of questions the OCR asks, and [those questions are] leading to fines, penalties, and corrective action from the state level.
MG: That [trend] makes sense when you think about it. Can you walk us through what an investigation might look like and typical outcomes or results?
CD: When there’s an incident, we must report it to the regulators. Many of them have forms to fill out with basic information about the incident such as:
- What do you do for risk management for the enterprise?
- Show us your most recent risk management plan or your most recent risk analysis.
- What are your written information security policies and procedures?
- What types of training do you conduct for your employees, and how frequently?
They want to see supporting documentation and the software we’re using, not a big-picture summary of things. They can confirm if we’re encrypting data at rest as well as in transit. They want to know what types of monitoring software we have in our network and whether we use multi-factor authentication. The standards and best practices in the IT world are becoming part of the conversation with the regulators.
If you have good answers, the outcome is, “Thanks a lot, we’re closing our file.” But from many people, the regulators hear, “We see ten holes in our security program, and here are the ways we’re working on fixing them and the timeline to do it.”
You have to voluntarily show how you’re complying with requirements and keeping the place secure. If you don’t, the enforcers dig in.
The outcome can be a corrective action plan where they’re going to ask you to report to them every six months or every year with your risks, how you’re mitigating them, and your compliance items.
MG: Let’s talk a little bit about what you’re seeing with fines and penalties.
CD: I think what gets [regulators] fired up the most and leaning toward data breach fines are anemic actions or an egregious set of facts where it’s clear the client was way behind.
There was a recent announcement in New Jersey. The AG fined someone $500,000 in a response. The matter affected 11,000 New Jersey residents, so it wasn’t a huge impact on the state, but it was a lot of data, and there were a lot more people involved in the incident. They enforced HIPAA and came up with a $500,000 fine. Most state fines are smaller. They’re more like $25,000-$50,000 with corrective action.
But I think you have to be concerned about multi-hundred thousand dollar fines even at the state level [because states can also enforce HIPAA requirements].
MG: If I were a cyber policyholder, what should I do so I don’t run afoul of a regulator?
CD: The smartest thing you can do is ask yourself, “What would I do if I was audited today?” Put yourself through that process now before you have to [go through it]. It’s essentially conducting a risk analysis and finding the holes. It’s something that’s good to be guided through by an expert like an IT specialist. There’s also training and development of policies and procedures, and how often the organization updates those.
We often engage with our clients to conduct these risk analyses and conduct an audit to find all the areas that need mitigation and get a plan together. That way, if something happens and you have to report to a regulator, they’ll see you’re doing all you can. That makes all the difference.
MG: I’d say the best solution would be to have the Mullen Coughlin hotline on speed dial.
Watch Chris and Mark’s full discussion about cyber insurance regulatory trends. If you have questions for Chris, reach out to him at Mullen Coughlin or speak with him and his partners at a NetDiligence Cyber Risk Summit conference. You can also find information about Mullen Coughlin in the NetDiligence eRiskHub.
Have you seen the 2021 NetDiligence® Cyber Claims Study yet? Download your copy here.