New York Cyber Regs Take Effect, Mid-Sized Firms Could See Biggest Impact
As the insurance industry has closely followed developments regarding The New York State Department of Financial Services’ (DFS) cybersecurity regulation, concerns remain in terms of how the final regulation, set to go into effect March 1, may impact mid-sized companies in particular.
“It is the mid-sized covered entities that may see the biggest impact, as it’s unlikely they will qualify for an exemption, [they] are more likely to have a meaningful cyber risk profile, and they may not have sufficient resources or budget to meet their obligations,” said Ben Zviti, senior vice president in Marsh’s Financial and Professional Products (FINPRO) Specialty Practice.
The final regulation, which is aimed at protecting New York’s financial services industry from the threat of a cyber attack, serves as the first of its kind in the U.S.
The regulation requires each company overseen by the New York DFS to assess its specific cybersecurity risk profile and design a program that addresses those risks, Zviti said.
“Larger financial institutions, with greater resources in terms of budget and personnel which are already subject to other regulatory cyber requirements, are likely to have already addressed many of the requirements of the regulation – or at the very least, are in the process of addressing them and are less likely to see a big impact,” he said.
Smaller institutions, on the other hand, may qualify for an exemption under the regulation instead, leaving much uncertainty on the impact to the mid-sized companies that may have neither the budget nor the qualifying requirements to comply or be considered exempt.
“There will be a significant amount of work for those entities that are resource challenged, and the costs associated with complying with the regulations will have to be accounted for,” Zviti said. “The costs may be passed on to individuals, may result in an increase in outsourcing cybersecurity functions or could potentially result in entities having to shut down operations.”
Bernie Heinze, executive director at the American Association of Managing General Agents (AAMGA), explained that when the initial proposed regulation was rolled out, AAMGA asked its members what compliance with the regulation may mean for them in terms of cost.
“They came back to us and said, ‘We’re looking at estimates between $65,000 and $85,000 per year of added costs of either employing or designating somebody as a chief information security officer (CISO) and annual costs of risk analysis and penetration testing – those are specialized skills,'” he said. “This is not usually something main street insurance agents, brokers or wholesale specialty insurers will have around.”
Heinze stated that while the final regulation issued March 1 is more flexible than the initial proposal, additional adjustments may be needed to make it more pragmatic and proportional based upon the nature and scope of each licensee and its operations – an idea echoed by others in the industry.
“You have to be flexible and can’t just have it carved in stone,” stated Dianna McCarthy, partner at Winget, Spadafora & Schwartzberg. “Each business has its own information to protect that other businesses might not have, so a cookie cutter plan won’t work across the board for everybody.”
Despite potential challenges, the industry also sees several benefits with the final regulation.
“Cyber-attacks by nation state and for-profit actors continue to increase, and financial institutions remain key targets,” Zviti said. “By performing risk assessments, covered entities will better understand their vulnerabilities, identify their high value data assets, critical vendors, disaster recovery and business continuity plans and become safer.”
Indeed, the regulation’s requirement for financial services institutions to create a written action plan in a crisis situation can be a valuable tool offering guidance and taking the guess work out, McCarthy added.
“I think [the cybersecurity regulation issued by the New York DFS] might be a way to protect what it feels to be one of its primary infrastructures,” she said. “This is an effort by New York to protect its consumers and its residents.”
The regulation was first proposed in September with a 45-day notice and public comment period ending in November. After considering all comments submitted during that period, the New York DFS issued an updated proposed regulation in December subject to an additional 30-day comment period. The final regulation was announced in February, with transitional periods for compliance from the effective date of March 1 of 180 days up to two years as laid out in the final regulation.
Just as New York’s efforts to regulate cybersecurity have evolved, Zviti is also urging companies across all industries to keep pace with the constantly changing world of technology and cyber risk.
“Information security is a process and a journey, not a destination,” he said. “All industries need to face the challenge of constantly evolving to ensure vigilance in awareness and risk mitigation.”