Opening Statement of Gregory V. Serio, Superintendent of Insurance, before the Temporary Joint Legislative Committee on Disaster Response and Preparedness and the NYS Senate Standing Committee on Veterans, Homeland Security and Military Affairs

September 29, 2003

Testimony

Chairman Balboni, Chairman Destito, thank you for allowing me to appear before this joint/committee hearing examining the threat of cyber terrorism.

Admittedly, insurance may not be the first thing a person thinks about when contemplating the potential incidence of and fallout from cyber terrorism. However, when one thinks of cyber terrorism as a convenient pathway to broaden terrorism objectives – geopolitical unrest and financial or economic destabilization as well as a risk and disturbing menace in and of itself, insurance quickly comes into focus.

I would like to focus, for a few moments, on the three areas where cyber terrorism and insurance, as a major component of the state’s and nation’s financial services infrastructure, interface:

• The exposure of the insurance industry to cyber terrorism risks;
• The potential impact of cyber terrorism events upon insurers responding to other disasters – related or unrelated to the cyber-event, man-made or natural, small or large, geographically localized or disparate; and
• The need for cyber risk insurance coverages for the non-insurer business population.

In conjunction with the Governor’s Office, the State Office of Public Security, the State Office of Cyber Security and Critical Infrastructure Coordination and a host of federal financial services regulatory and critical infrastructure protection agencies, the New York Insurance Department has been a leader among insurance regulators nationwide in assessing the preparedness of and assisting insurers in planning and executing cyber security strategies. Insurers, as a major component of any economy’s critical infrastructure, as significant users of technology in their financial and marketplace activities, as potential targets for acts of financial terrorism, are an appropriate focus of our regulatory attention as respects the security both of individual institution’s systems as well as their larger monetary system with which it performs numerous important transactions everyday. Add to this already significant dimension, the notion that insurers are a critical element of any effort to respond to a disaster of any kind – the insurance dollars often times bring the first dollar into an affected community and is the single most important element of starting any recovery process – and there is a clearly compelling need for governmental and industry to work together to build and maintain most secure technological system possible.

Propelling cyber pursuit of this mutually desirable objective is an unprecedented degree of information sharing between government and insurers as to:

• Current or potential threats to systems and programs
• Plans and preparations made by carriers to secure systems, respond to cyber-events and assure disaster recovery of critical operations for business continuity with minimal interruption.

There are also unprecedented levels of inter-agency cooperation on all levels of government which have any role in financial services regulations or critical infrastructure protection. A few examples:

• The New York Insurance Department, representing 54 regulators comprising the National Association of Insurance Commissioners, has been an active player in the US Treasury Department’s Financial Services and Banking Information Infrastructure Committee. A component of President Bush’s Critical Infrastructure Protection initiative, FBIIC, brings together state insurance and banking officials with federal financial service regulators and law enforcement to develop policy and response protocols for American’s financial services industry, the regulatory community and the public in the event of any threat or event, including a cyber attack. Cross industry vulnerability assessments have been conducted, drills have been held, and a secure communications links among regulators has been established as a result of the work of FBIIC.
• Through the foresight and leadership of Jim Natoli and Will Pelgrin, the Insurance Department has also become extensively integrated into New York State’s efforts in disaster preparedness and response and cyber security planning. Frequent meetings at the highest levels of our agency of CSIC, OPS, SEMO together with routine staff interactions on the many joint projects underway has cemented the Insurance Departments and, by natural extension, the insurance industry role as a critical player in these activities.
• As one of the first state’s with government/industry disaster coalition and dedicated insurance emergency operations center to coordinate industry intelligence gathering and response plans, as a State requiring disaster preparedness plans to be filed by carriers, as a state pushing for recognition of co-disaster preparedness as an important regulatory examination focus, the New York Insurance Department has built upon this reputation and legacy by enacting the first-of-its-kind information sharing network. The secure, password protected web-based New York Information Network (NYIN) is a fully-interactive system whereby alerts appropriate for disbursement to our industry partners, such as FBIIC, OPS and New York City OEM corporate advisories, and InfraGard and CSCIC technology alerts, are electronically sent to more than 1,900 liaisons in New York’s vast insurance community, together with instructions for any company, sector or technology-specific events, threats, or warnings to be sent through NYIN to the Insurance Department for transmittal to appropriate authorities for proper handling.

Through these initiatives, the New York Insurance Department and its partners in government and industry have created an unparalleled level of communication and an unequivocal commitment to pursuing every avenue of inter-agency cooperation and public/private partnership to achieve the highest degree of security possible.

Areas that need more work, and quickly need more work, are the ability of businesses to protect themselves from cyber attacks and the incentive for businesses to plan, prepare, and practice for and against potential cyber-security events. Traditional insurance policies, many using language, terms, endorsements pre-dating the cyber age, generally do not reflect the hazards of or harms from technology compromises, by they man-made or fortuitous. The natural incentives that come from paying premiums for coverage, and the desire to minimize risk by prevention are largely not in play with most standard policy forms with the exception of tailor-made, manuscript policies – when coverages, endorsements, limitations and exclusions are custom crafted, most policies do not provide for business interruption, civil authority, loss of income and profit and related commercial coverages for losses arising from cyber-events. For a great many – and growing – number of businesses, these types of occurrences, without insurance, could be as devastating as any hurricane or fire.

If we are to truly secure our economy, the government and insurance industry ability to respond to disaster must be partnered with business’ ability to buy coverage, prevent or mitigate loss and otherwise care for itself first and foremost. As the Governor has encouraged with this bill to allow for the selling of civil authority coverage as a distinct and stand-alone risk, so too must we modernize our state insurance laws to provide better, more meaningful coverage for those who work in or rely upon cyber-space for these services of their business. By all accounts, that’s probably just about all of us.

Thank you again for this opportunity to speak on a most important topic, and I would be happy to answer any questions.