New York’s Cybersecurity Rules: Things Insurance Professionals Should Know
The New York Department of Financial Services (DFS) has issued cybersecurity requirements for financial services companies (cyber rules) that went into effect March 1.
The cyber rules require insurance and insurance-related companies, as well as brokers, agents and adjusters licensed in New York, to assess cyber risk profiles and design cybersecurity programs that address such risk in a “robust fashion.”
There is no doubt that cyber risk is real, and the DFS has taken steps to manage it by way of the regulation. Still, the cyber rules could prove problematic, particularly for licensed brokers, agents and adjusters. To these individuals and the insurance or insurance-related companies that employ or utilize them, there are several things to keep in mind.
The cyber rules apply to any “covered entity,” which the regulation defines as “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, Insurance Law or Financial Services Law.”
This means in addition to insurers, individual brokers, agents and adjusters have a new mandate. These individuals must “maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of [their] Information Systems.”
First, a covered entity should appoint a Chief Information Security Officer or use a third-party to fill the role. Thereafter, it is required that a risk assessment be conducted to identify breaches in security followed by the adoption of corresponding policies and procedures and implementation of necessary security overhauls to bridge any gaps. All of this would be bolstered by appropriate staff education or training. Third-party vendor security also needs to be addressed.
Ultimately, the key to complying with the cyber rules is the implementation of a “living, breathing” cybersecurity program that can adapt to ever-changing security concerns, including new technologies and threats; one that can be refined when new issues arise and risks are identified.
What will not withstand governmental audit is a set of written policies that sits on a shelf and gathers dust. Neither will those that merely serve as restatements of the law. Indeed, the likelihood of an enforcement action lessens in lock step with the level of diligence exercised in compliance.
The cyber rules could create a burden on many individual brokers, agents and adjusters doing business in New York, particularly the “mom and pop shops” that lack the resources of the more substantial and sophisticated industry players. Nevertheless, those licensed by the DFS must comply with the regulation in its entirety unless they are exempt. Exemption is a possibility depending upon a covered entity’s size or annual revenue, among other things. The cyber rules reduce, but do not entirely eliminate, the onus of compliance in certain situations.
Those who qualify for an exemption must file a Notice of Exemption form, as set forth in the cyber rules, within 30 days of determining that an exemption applies. The failure to do so will subject them to penalty. It would be good practice for insurance companies and agencies to alert potentially exempt licensees of the filing requirement.
How will the cyber rules be monitored? What will be the measure of non-compliance? What control protocols other than encryption will authorities accept to withstand enforcement action? What analysis will need to be conducted to determine the need for reporting? Is it realistic for smaller entities to comply?
These are all questions that have been raised, and ones without complete answers – yet. Covered entities must nevertheless take prompt action to conduct a risk assessment and establish policies and procedures.