Testimony of Gregory V. Serio, Superintendent of Insurance, before the Temporary Joint Legislative Committee on Disaster Response and Preparedness and the NYS Senate Standing Committee on Veterans, Homeland Security and Military Affairs
September 29, 2003
Good morning. I would like to thank you, Senator Balboni and Assemblywoman Destito, and members of the Committees, for the opportunity to testify at this hearing.
Our nation is in the midst of a technology revolution allowing Americans, and the world, to gather information, communicate, and transact business on a global level in a matter of seconds with the mere press of a key or the click of a mouse. The tangible benefits associated with doing business in the world of cyberspace are obvious. Technological advances have opened up new markets for businesses regardless of their geographical location allowing them to communicate and transact business in real-time with their customers, partners, suppliers and vendors anywhere in the world. At the same time, technology allows the consumer the convenience of online shopping, shipping, banking, entertainment, and a host of other services. Similarly, business-to-business and public-private transactions in todays world are heavily dependent on a secure and reliable cyber network. For example, at the Insurance Department, we have successfully implemented an online licensing process for agents and brokers, which has resulted in significant savings of time and resources for the State as well as our licensees. We can now process a license in 24 48 hours, seven days a week, saving the State over $600,000 each year.
Notwithstanding all the positive attributes of todays cyber environment, the system is only as good as the publics ability to trust the system. Public confidence in our cyber infrastructure is highly dependent on the integrity and reliability of online transactions and data storage. Privacy and security of personal financial and health data transmitted online play an even bigger role in determining whether or not an individual will utilize online services. Identity theft and numerous other threats to cyber security, such as hackers, worms and viruses represent clear and present dangers to societys optimal use of cyberspace. We have all seen media reports that demonstrate the significant damage that can be inflicted on our economy as a result of a cyber attack. While a majority of the cyber attacks do not result in substantive damage, others can bring certain sectors of the economy to a standstill. Such was the case when the Sobig.F virus slammed corporate and government e-mail networks across the country and brought CSX Railroads passenger and freight trains to a grinding halt in seconds. Sobig.F propagated across the nation at an enormous speed and demonstrated the debilitating impact of a few lines of misguided code.
Cyber terrorism is very different from traditional terrorism. While an external cause usually motivates the traditional terrorist, the cyber terrorist may also be self-motivated. Cyber terrorism is intrinsically rewarding where the perpetrator derives immense satisfaction from a feeling of superiority by being able to breach the defenses raised by his or her peers. The cyber terrorist can inflict different, more insidious damage with a keyboard than the traditional terrorist can with traditional methods. A few keystrokes can affect millions of people and dozens of nations in a matter of minutes and result in billions of dollars worth of damage. The detached nature of a cyber attack, where the perpetrator does not have to expose himself or herself to immediate harm, makes this crime all the more easier to commit and harder to detect or trace.
While the benefits of communicating and conducting business without walls are endless, we, as a nation, must be mindful that as we become more reliant on computer networks to enhance our way of life, our vulnerability to cyber catastrophes also increases. Accordingly, it is incumbent on the public and the private sectors to take all the necessary steps, as partners, to ensure that our cyber infrastructure remains reliable, safe, and secure. Since most critical cyber infrastructures are privately owned and operated, a coordinated effort between the public and private sectors is the key to assessing and eliminating vulnerabilities that exist in cyberspace. In fact, most information technology innovations evolve rapidly either from the private sector or academic institutions.
II. Public and Private Initiatives
In March 2002, Governor George Pataki established the Cyber Security Task Force which is designed to evaluate the States critical cyber-infrastructure, identify potential means of a cyber attack and recommend security practices for private industry, the public sector and the general public. Further, the Governor, in September 2002, established the New York State Office of Cyber Security and Critical Infrastructure Coordination (CSCIC) to address New York States cyber security readiness and critical infrastructure coordination.
One of the initiatives coordinated by CSCIC was the establishment of the Public/Private Sector Cyber Security Workgroup to facilitate information sharing between the public and private sectors. This workgroup is comprised of members from government, academia and the private sector all working together to take proactive steps to ensure that cyberspace is secure. The workgroup must be able to react quickly in the event of a cyber attack to minimize its impact on the affected sectors of our economy. This partnership between the public and private sectors is a continuous one as there is always a need to identify vulnerabilities in cyber networks. Further, through collaboration, each sector is able to learn from the experiences of the other sectors in the workgroup and implement best practices and standards to minimize the risk of cyber attacks.
In the aftermath of September 11th, the Executive Order that created the Office of Homeland Security also established a Critical Infrastructure Protection (CIP) Board. The CIP Board was authorized to coordinate federal efforts and programs that involve protection of information systems and networks supporting critical infrastructure, and to recommend policies and coordinate programs for protecting those information systems including those owned or operated by the private sector. The CIP Board, in turn, created a standing committee known as the Financial and Banking Information Infrastructure Committee (FBIIC) which is an information sharing and coordination organization. New York, on behalf of the National Association of Insurance Commissioners (NAIC), represents the insurance sector on FBIIC.
FBIIC membership consists of representatives of the Commodity Futures Trading Commission, the Conference of State Bank Supervisors, the Federal Deposit Insurance Corporation, the Federal Reserve Board, the NAIC, the National Credit Union Administration, the Office of the Comptroller of the Currency, the Office of Cyberspace Security, the Office of Federal Housing Enterprise Oversight, the Department of Homeland Security, the Office of Thrift Supervision, and the Securities and Exchange Commission.
FBIICs overall goal is to facilitate within the financial sector coordination of federal efforts and programs relating to the protection of the nations information systems and critical infrastructure. In other words, FBIIC is responsible for identifying vulnerabilities of financial services sector to terrorism and coordinating efforts across the sector to improve security and reliability of the financial information infrastructure.
In order to fulfill its role as a policy coordinating committee, FBIIC agencies are expected to implement the broad policies enunciated by the CIP Board internally and to encourage private sector cooperation. FBIIC is also an operational tool, bringing federal, state and private organizations together in a time of emergency, including a cyber terrorism event, to assess impacts of that event upon the many facets of the financial services sector and to direct and/or monitor actual response to the event. Insurance, as a major user of cyber technologies and as one the essential mechanisms for stabilizing a local economic environment after such an event, is a critical concern for FBIIC.
Similarly, the Insurance Department is a member of the Metro New York chapter of InfraGard, which is a partnership between private industry and federal government (represented by the Federal Bureau of Investigation). The InfraGard initiative was developed to encourage the exchange of information about cyber intrusions, exploited vulnerabilities, and infrastructure threats between government and the private sector members. The Federal Bureau of Investigation plays the part of facilitator by gathering information and distributing it to InfraGard members.
The New York Insurance Departments participation in the initiatives referenced above has resulted in an unprecedented flow of critical information on matters related to the latest threats to our cyber infrastructure and preparedness, whether from FBIIC or other federal agencies, CSCIC or the States Office of Public Security or New York Citys Office of Emergency Management. The Insurance Department, in turn, immediately disseminates this information to the affected insurers in the State through the New York Information Network (NYIN). NYIN was activated in February 2003. NYIN, a secure, web-based communications link, is the main conduit through which the Insurance Department communicates intelligence reports and other critical but sensitive information on terrorism, including cyber threats, with the New York insurance community. NYIN consists of a password-protected area on the Insurance Departments web site where directives, advisories and other terrorism-related information is posted on a regular basis. To date, we have posted 71 advisories, the content of which was received from various sources including CSCIC, FBIIC and InfraGard, on NYIN. Insurers who participate in NYIN have the requisite identification and password to access the posted information. The web site also includes a mailbox that enables all participants to exchange intelligence and terrorism-related information with the Insurance Department. In addition to posting information on our web site, NYIN is configured to send critical or time-sensitive information directly to the insurance community via mass e-mails.
The following benefits have accrued as a result of our participation in CSCIC, FBIIC and InfraGard as well as our activation of NYIN:
- Immediate dissemination of newly discovered cyber security threats to the insurance community;
- Educating the insurance community on cyber infrastructure protection;
- Opening the doors of communication on terrorism, including cyber-terrorism between the Insurance Department and the insurance industry;
- Reporting of more cyber attacks or threats to our cyber infrastructure; and
- The opportunity to interact and share information on cyber threats, attacks and security between the different sectors of our economy.
III. Indemnification and Risk Management - Insurance Sectors Role
The need for society to invest in cyber security cannot be overstated. However, regardless of the amount of resources expended by individuals, businesses and government on this endeavor, our nation can never be fully protected against hackers and cyber terrorists who are continually seeking to exploit vulnerabilities in newly developed security systems. So while investing in cyber security is one component of a complete security package, the other component consists of purchasing the appropriate insurance product to protect against the financial consequences of a cyber attack that defeats the implemented cyber-safety measures. By developing appropriate products that allow individuals and businesses to transfer the retained risk of a cyber attack, the insurance industry can play a vital role in protecting our nations cyber infrastructure.
Traditional property and casualty policies in the insurance portfolio of most businesses do not provide coverage for losses stemming from a cyber attack. Property policies generally require some form of physical damage to property in order for coverage to be triggered under the policy. Since a cyber attack will not, in all likelihood, result in physical damage, a majority of the resultant losses will not be covered by the typical property policy.
The insurance industry, however, offers manuscripted or tailored cyber-risk coverage to meet the specific needs of an insured. These policies are crafted individually to address the specific technology utilized, and unique risk levels faced, by the insured. These policies generally provide, on a first party basis, coverage for corruption of data and business interruption losses stemming from a cyber attack. These policies may also provide funds for post-loss repair or reconstruction of servers and web sites as well as reconstruction of lost data. Coverage may also be provided for third party liability claims arising out of the cyber attack. In addition to providing indemnification for direct losses and payment for liability claims, insurers can provide a host of risk management services and technical expertise to the insured leading to decreased vulnerability to cyber-related losses and increased operational efficiencies. Most of these policies though are issued in either the surplus lines market or in the Free Trade Zone and therefore do not need to be filed with the Insurance Department.
Also, cyber terrorism insurance is a relatively new market and only a few insurers currently specialize in providing this coverage. Insurers who do not specialize in this line find it difficult to enter the market due to the limited loss data available to appropriately price the product. The market, though, is expected to grow exponentially over the next several years as more businesses realize the need to protect themselves from this exposure. According to the Insurance Information Institute, the market for this product is expected to jump from $100 million in 2003 to $2.5 billion in 2005. Pricing of this product is also expected to stabilize as insurers gain more experience in writing the product and losses begin to accumulate, injecting more credibility into the rate-making process.
In the event of a cyber attack, information about the attack must be distributed widely, quickly and effectively to minimize its impact. Whether the cyber attack comes in the form of a denial of service, data erasing virus or in the form of a self-replicating email worm, each attack comes at a cost. In fact, PricewaterhouseCoopers estimates that total worldwide business losses from the various collateral effects of cyber attacks totaled $1.5 trillion in the year 2000 alone. By all accounts, this form of high-tech piracy is only becoming more prevalent and more severe.
When considering the risk of loss that cyber attacks pose to both the public and private sectors, the level of preparedness undertaken by these entities is much lower than expected. A recent survey found that only half of the chief financial officers, treasurers, and risk management professionals surveyed were even minimally prepared to cope with a major systems failure caused by a cyber attack. The costs of doing nothing are escalating.
With respect to insurance coverage of a cyber event, according to a recent survey conducted by Ernst & Young of general insurance coverage by large corporations, only seven percent of respondents indicated that they were covered by a specific technology insurance policy. Moreover, thirty-three percent of respondents indicated that they were covered, but upon further investigation it was revealed that data losses and network interruptions were specifically excluded from coverage under their general property/casualty insurance policies. This should be an area not just for further development by underwriting and marketing departments of insurers, but also for further consideration by state legislators as part of a larger initiative to assure that our states are both technologically and financially protected from cyber events that cause harm to any business enterprise.
Further, it is through coordinated efforts like the Public/Private Sector Cyber Security Workgroup, FBIIC and InfraGard that we can increase public awareness so that consumers and businesses will have the information and the tools needed to protect themselves from cyber-related losses. It will, at the same time, promote consumer confidence in the information system and the infrastructure that supports that system.
The Insurance Department stands ready to work with the Legislature on any matters that will increase the flow of vital information between the public and private sectors to better secure the world of cyberspace.
Thank you and I will be happy to take any questions.