Circular Letter No. 13 (2004)

December 29, 2004

The Insurance Department (Department) is continuing its efforts to promote higher standards for security of information assets, a vital resource for the data-intensive insurance sector. As part of this process, the Department would like to increase awareness in New York's insurance community of the Financial Services Information Sharing and Analysis Center (FS-ISAC).

Information Sharing and Analysis Centers (ISACs) were created as a result of Presidential Decision Directive 63 (PDD-63) in 1998. The directive requested the public and private sector create a partnership to share information about physical and cyber threats, vulnerabilities, and events to help protect the critical infrastructure of the United States. PDD-63 was updated in 2003 with Homeland Security Presidential Directive/HSPD-7 to reaffirm the partnership mission. Today there are ISACs for fourteen critical infrastructures such as the Financial Services, Electric, Energy, and Surface Transportation.

The FS-ISAC was launched in 1999 to help members prepare for Y2K and establish an anonymous information sharing capability within the financial services industry. The FS-ISAC consists of a secure database, analytic tools, and information gathering and distribution facilities designed to allow authorized individuals to submit either anonymous or attributed reports about information security threats, vulnerabilities, incidents and solutions. FS-ISAC members also have access to information and analysis relating to information provided by other members and obtained from other sources, such as US Government and law enforcement agencies, technology providers and security associations. After analysis by industry experts, alerts are delivered to participants based on their level of service.

The FS-ISAC offers a confidential venue for sharing security vulnerabilities and solutions. It facilitates trust and information exchange among its participants. Members benefit from the FS-ISAC's unique proactive means of mitigating cyber and physical security risks, including participation in member meetings, tabletop exercises, bi-weekly threat calls, and crisis calls where security professionals develop working relationships.

The FS-ISAC is exclusively for, and designed by, professionals in the banking, securities and insurance industries and no US Government agency, regulator or law enforcement agency may access the FS-ISAC incident database. The FS-ISAC is owned by its members. The FS-ISAC Board of Directors determines member eligibility, enforces member eligibility verification through trusted third parties, and oversees the operation of the FS-ISAC.

Although no US Government agency, regulator or law enforcement agency has access to the FS-ISAC incident database, the Department of Treasury and the Department of Homeland Security use the FS-ISAC to disseminate official information in times of crisis. This is the best way for financial services firms to receive sector specific information from the federal government.

If your organization is not already receiving FS-ISAC alerts through other sources, the Department recommends consideration be given to joining the FS-ISAC to take advantage of the first industry-wide database of cyber and physical security threats, vulnerabilities, incidents, and solutions.

More information on this initiative, including details on membership levels, pricing and application forms, can be obtained by visiting www.ins.state.ny.us/linkindx.htm and clicking on the link to the FS-ISAC home page.

Very truly yours,

Gregory V. Serio
Superintendent of Insurance