A cybersecurity event log for insurance regulators set to launch next year could play right into the hands of cybercriminals, an AI expert from a mutual insurance association told the regulators on November 18.
Lindsey Klarkowski, director of public policy –- data science, AI and machine learning, at the National Association of Mutual Insurance Companies (NAMIC), addressed the Cybersecurity Working Group of National Association of Insurance Commissioners (NAIC) at its fall national meeting in Denver.
The Cybersecurity Event Repository and Portal (CERP) follows on a cybersecurity event response plan finalized by the working group in March, and is planned to launch in 2025.
"It can present substantial systemic risk if not, first, intentionally narrow in breadth and function, and second, structured with strong security and governance protocols," Klarkoski said at the working group's session. "Even with stringent controls, we're faced with a reality today that the financial services sector is a prime target for cybercriminals. To centralize sensitive information about a large swath of the financial services sector, and the breach and response measures taken creates a treasure trove for cybercriminals to access."
Concentration of information about cyber breaches and how they were addressed could also create a source of techniques for cyberattackers to try using against other insurers, as well as what techniques worked or did not work, Klarkowski stated. The CERP should separate information about corrective procedures from information about the breaches, she added.
"By narrowing the scope of the proposal in breadth and function, some streamlining of the reporting process can still be achieved while also protecting the more vulnerable and sensitive information included in reports," Klarkowski said.
The vice chair of the NAIC working group responded that the plan for CERP already mitigates these concerns.
"If a cyberhacker were to get that and read it, the only thing they'd know is that it was fixed," said Michael Peterson, who is a cybersecurity examiner at the Virginia Bureau of Insurance, that state's regulator. "None of that information is all that useful to hack someone. Far more useful information is readily available on the dark web."
The working group is still accepting comments on the plans for CERP, said Cynthia Amann, chair of the group and marketplace coordinator at the Missouri Department of Commerce and Insurance. Amann added that the group is still working on schematics for the portal and plans to conduct a tabletop testing exercise.
