Financial institutions and insurance companies are accustomed to mitigating risk, given the value of the assets they handle. As these risks became increasingly concentrated in cyberspace and on consumer data within these institutions, regulations have provided guidance on companies’ approaches to safeguarding their systems.

Some laws standardizing how financial and insurance companies share information have been in place since the late 1990s, including the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act, also known as HIPPA. Evolving threats to data security have also led to new and updated regulations for the critical infrastructure industries.

One of the most recent updates affecting Iowa is the Insurance Data Security Act, which was signed into law by Gov. Kim Reynolds in 2021 to establish state standards for data security among companies licensed by the Iowa Insurance Division. The law generally follows the Insurance Data Security Model Law developed by the National Association of Insurance Commissioners in 2017. As of June, 22 states have passed laws based on the model.

Recent federal cybersecurity regulations for financial institutions include the Computer Security Incident Notification Rule and an amendment to the Federal Trade Commission’s Safeguards Rule, which went into effect in May 2022 and December 2022, respectively.

In Iowa, the state Division of Banking supervises all Iowa state-chartered banks and also has regulatory and licensing authority over other people and entities. It monitors banks for compliance with state and federal law and issues guidance related to those mandates, Julie Gliha, vice president of compliance at Iowa Bankers Association, said in an email. For example, the division’s website includes guidance on developing cybersecurity policies and procedures reflecting the organization’s expectations as the state regulator.

The Business Record spoke with the Iowa Bankers Association’s Vice President of Information Technology Anthony Parrish and Network Manager Tim Mosbach as well as Iowa Insurance Commissioner Doug Ommen to learn more about recent updates to cybersecurity regulation and the current cyber risks financial and insurance companies are facing.

This Q&A has been lightly edited for length and clarity.

What are the most dominant cyber threats currently? What is at risk if a financial or insurance company experiences a breach?

Parrish: I think the biggest one you’re seeing now is ransomware. A lot of that comes through phishing attacks on employees or trying to get people to install software. Organizations spend a lot of money trying to block things, but ultimately the users play a role in all this too. Ransomware is an easy thing for a lot of hackers to get a hold of tools to do this. Once they get a hold of a system, then they’re looking for money, the insurance carriers pay it and I hate to say it but it’s great revenue for the hackers, which drives a lot of the activity. Just the volume of it is so high that it makes it difficult to fight against or challenge against because they’re always trying to innovate new ways. Ransomware attacks can be detrimental to the business. One of the things that everybody’s trying to protect is obviously reputational risk, but in the financial industry as a whole they’re considered critical infrastructure because money movement happens through financial institutions. You expect to have your paycheck and you expect to be able to deposit a check or go buy some groceries and that money will clear, so anything that disrupts that can be extremely problematic. That’s why they are under such restrictions and that’s why you see the government very involved as a strategic institution, really helping to assist in some ways with the managing of it. 

Ommen: I think the thing that has to be kept in mind, just as with other financial institutions, is that you can think of insurance data kind of as a crown jewel when it comes to criminal activity. Historically, I hate to draw this analogy but I will, if you just look back through time there was a high incentive to rob banks because you could break into the safe, you could steal valuable cash. Well, banks hold money, insurance companies hold money and investments. Also really valuable data because it’s not just the money that they hold, it’s the value of the information about millions of investors, future retirees, people with life insurance, so that data is really incredibly valuable for the criminal elements in our society, so the insurance companies understand how tightly that has to be protected. The [Insurance Data Security Act] really kind of just recognizes what the insurance companies already have known: Companies need to really protect that highly valued information. The companies themselves, under these regulations, they have to not just deal with present risk, which is pretty well known and most companies are able to access experts in cyber to help them harden their walls, but they also have to be looking forward to evaluate what else is happening because as you’ve heard it said, it’s not if, it’s when, and the reality is it happens routinely. These companies are routinely under attack, it’s just whether or not they’re able to properly protect themselves from those efforts to invade.

What are the most recent updates to cybersecurity regulations for financial institutions?

Parrish: The purpose of the FDIC Computer Security Notification Incident rule is to provide bank regulating agencies early warning of emerging threats to banking organizations and the broader financial system. This includes potential systemic cyber events. The Federal Deposit Insurance Corp., the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency require banking organizations to notify their primary regulator of a material computer-security incident as soon as possible but not later than 36 hours after an incident has occurred. This rule also applies to service providers of the bank, who are now required to notify the bank as soon as possible of an incident that could affect their operations for four or more hours. The banking industry is already heavily regulated, so security incident notification is not new to them. However, requirements around the new rule will require them to review and possibly update their current incident response plans, service provider contracts, and security incident detection practices and protocols. 

Per the FTC’s website, “The Safeguards Rule requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe.” The revised rule provides more specific guidance for covered financial institutions. The original rules allowed for more flexibility and discretion in how financial institutions protected the confidentiality and security of customer data. While most financial institutions already should have had some of the requirements in place, the new rule spells out in more detail what is required. The focus of the rule is on financial institutions’ information security programs and the types of data security incidents covered and identifying a person responsible for data security. 

What standards does the Insurance Data Security Act establish for Iowa insurance companies?

Ommen: If you look back in the earlier laws, like HIPAA, it put in place responsibilities and there were some state hacking laws or cyber breach laws too, but it was really more along the lines of, if there is a breach, how do you notify your customers? Or if there is a breach, what is it you need to do in terms of next steps? There’s HIPPA, where you couldn’t release certain information without consent. The cybersecurity or the data security law that we now enforce really has more to do with, again, trying to avoid the breaches, not to remedy the breaches once they have happened. There are provisions in those laws that deal with remedy after a breach but it’s more designed to put us in a position with the companies for them to do what they already were doing. It’s just that it wasn’t being done as consistently as we think it should have been across all members of the industry. By catching up, what it’s done is put [the Iowa Insurance Division] as the domestic regulator, not just on finance, but also on cyber. That puts us in a position to really engage with the companies to make sure they’re always at the leading edge of those necessary protections because technology continues to change. Certainly cyber crimes and cybersecurity risk continue to evolve, so the cybersecurity laws that were adopted here that we worked on at the [National Association of Insurance Commissioners] really are designed to make sure that the companies are always put in the position of needing to catch up. That is, they need to stay ahead of where it is that the risk is coming from. In today’s world with data and access being as it is with satellite technology, it’s becoming a much smaller world.

As cyber risks continue to increase, is it driving investment in prevention measures or cyber insurance?

Parrish: I don’t know that it’s driven more. I think the urgency on cybersecurity has always been there. I think where increased cyber threats have really had an effect is on cyber insurance coverage.  Increased cyber-related losses are driving up the cost of the insurance, while carriers are adding stricter underwriting requirements, limiting coverage and enforcing stricter security practices, making it financially harder to get or maintain coverage. I feel like the urgency was there, but I think it’s impacting financial institutions. It’s impacting all of us, really, any business. Ransomware is really driving up the cost to keep that cyber insurance coverage and that liability protection that you need. The purpose of insurance is to cover the loss of operations and any fines that you would potentially have, which can add up pretty significantly in a breach scenario. Your risk assessment is the ability to operate regularly and the revenues from it. Part of that risk mitigation is insurance to cover your loss of operations or the liabilities that come out of a breach, and so as that continues to go up, that becomes a challenging expense.

Mosbach: One thing that’s also come out with the increased frequency of these ransomware attacks is somewhat of a buzz term of “zero trust.” [Zero trust is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized and continuously validated before being granted or keeping access to applications and data.] Conceptually, the understanding is if you were to be breached, how do you limit it? How do you mitigate it quickly? How do you see it? How do you react to it? And again, trying to segregate systems in a way that makes it so if we believed we were already breached, how do you secure that? The concept is really good, and again it’s always like a cat and mouse game. As you keep getting better, then you have somebody who keeps trying to get better at getting into your systems. It’s a never-ending struggle of trying to make sure you’re secure. Overall, I think it just has made us be even better, and with the cyber insurance as well, everybody just expects more and it’s a good thing.

Are there any other current trends around data security to note?

Mosbach: One item that is probably not new, but newer, is securing a cloud environment. You have Microsoft Office 365, Salesforce, a lot of your cloud providers. So now not only are you securing your own network and your own systems, but you’re having to assess the risk of these cloud providers and ensuring that they’re meeting your requirements. Most of your big ones are, and so it’s just balancing the need to be able to access information from anywhere with the need to secure your data because you can only secure it so much because you have to be able to utilize it.

Parrish: Cloud is adding a whole new dynamic to cybersecurity and protecting your environment. It used to be that everything was housed inside and you put your walls around there. Now, you’re using partners and you have to trust those partners, but the regulators, they expect that you make sure that the vendors you are using are meeting all those security requirements. Honestly, one of the bigger challenges to that end – it’s a good process but it’s time-consuming – is vendor management. That process of making sure that those vendors are compliant and they’re a sound company, that’s part of that risk assessment too. The banking industry as a whole, there’s only a few core providers who provide the core systems for banks, and a lot of them overlap, but yet every one of these banks is doing the same vendor due diligence and on each of these organizations. One thing banks have talked to us a lot about is, is there any way to centralize this knowledge and communication and make the auditors happy so if one person or one group has done this already, we can use the same information. With those third-party relationships on those requirements, it’s definitely put a lot more onus on banks to really critique and evaluate their vendors. 

Ommen: The data that insurers collect can be considered the crown jewels for data thieves, so the trend for insurers isn’t necessarily new but remains that they must continue to stay on the offensive against various forms of sophisticated attack attempts.