First Steps Under New York’s Cyber Rules: Risk Assessment, Policies, Procedures
The Cybersecurity Requirements for Financial Services Companies (cyber rules) promulgated by the New York Department of Financial Services went into effect on March 1. Now, insurance companies, agencies, brokerages and producers (insurance professionals) doing business in New York, even those having a limited exemption from the cyber rules, are obligated to maintain cybersecurity programs to protect the confidentiality, integrity and availability of their information systems.
This begs the question: Exactly what must insurance professionals do to begin complying with these new regulations?
The answer is that they must complete a comprehensive risk assessment and draft and implement written policies and procedures that the cyber rules also mandate. Indeed, insurance professionals must conduct both technological and operational risk assessments, although legal counsel can offer a checklist to facilitate the latter. To many, these tasks may seem rather daunting, but risk assessment and mitigation do not have to be.
When it comes to risk assessment, insurance professionals are urged to immediately engage technology specialists equipped with insurance know-how and software designed to uncover cybersecurity vulnerabilities and threats. Indeed, an insurance professional’s first step regarding cyber rule compliance must be the retention of an expert who will, essentially, mirror the conduct of hackers by attempting to infiltrate information systems.
Technology specialists set the risk assessment process in motion by conducting vulnerability scans and penetration testing, which prod and poke the various devices on insurance professionals’ networks to find gateways to penetrate and items to exploit (e.g., outdated software, default passwords and open ports that will accept access and data packets).
For insurance professionals, retaining a reputable expert takes much of the pain and worry out of the compliance process. But the responsibilities related to the cyber rules do not end with vulnerability scans, information system testing and the implementation of software upgrades, firewalls, identity authentication protocols and network and cloud security. Beyond a technology-based risk assessment, the cyber rules require the implementation of associated policies and procedures.
While risk assessment measures are ongoing, insurance professionals can, and should, begin to create and operationalize policies and procedures to mitigate cybersecurity risk. To that end, insurance professionals would be wise to pay attention to the following operational checklist, which legal counsel can help document into usable written policies and procedures to ensure compliance with the cyber rules:
- Create a hardware, software and information systems inventory.
- Determine how the loss or short-term unavailability of data might impact operations.
- Update and test data backup, recovery and contingency procedures.
- Ensure that password access on computers coincides with the level of actual access needed by any given employee based upon job description.
- Establish detailed password guidelines, specifying password length and acceptable configuration and requiring periodic password changes and other protection protocol.
- Reposition computer monitors and apply automatic log-out mechanisms to assure systems security.
- Install virus-scanning software on all relevant devices on and offsite.
- Conduct phishing campaigns to test the susceptibility of personnel to click on suspicious links that can result in system infiltration.
- Scrutinize offsite access of computer networks, including the efficacy of identity authentication steps, and the proper use of storage media and non-secured personal telephone and mobile devices for work activities.
- Create forms to document investigation, mitigation and resolution of security incidents.
- Provide formal risk assessment and cybersecurity training and alert personnel that they are subject to administrative monitoring, thus eliminating any expectation of privacy.
- Execute agreements contemplating vendor and third-party security breaches.
- Provide detailed instructions regarding the reporting and documentation of security breaches, including to whom such breaches should be reported – governmental authorities or otherwise.
- Produce an audit log of excessive or unusual systems activity.
- Require that all lost or stolen access devices such as cards and keys, company laptops or mobile devices be reported.
In addition to the foregoing items, written policies should reference future periodic risk assessments, the identification of security personnel to whom technology and security concerns should be reported, security-related procedures to take upon the termination of employees and procedures for the retention and destruction of records and storage devices.
With qualified technology specialists and counsel in their collective corner, insurance professionals can readily abide by the cyber rules’ initial compliance requirements, something that should certainly be prioritized in a world colored by hacking scandals.
Related: