New York Cybersecurity Regulation
By Harry J. Lew
Insurance agents and brokers licensed to operate in New York have a new regulatory concern these days: how to comply with the Empire State’s new cybersecurity regulation. The new rule, reportedly the first in the nation, went live on March 1, 2017.
The product of a three-year rule-making process, the new regulation mandates insurance and financial-services entities doing business in the state to assess their cybersecurity risks and to create robust risk management programs. Although the regulation squarely targets larger financial institutions such as insurance companies and banks, smaller entities such as insurance agencies and brokerages and even individual insurance agents and financial advisors fall within its purview.
But is this something to worry about? The devil is in the details. According to JillAllison Opell and Ron Lebow, attorneys with Michelman & Robinson, the new rule applies to “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, Insurance law, or Financial Services Law.” The attorneys explain that agents, brokers, and others must now “maintain a cybersecurity program designed to protect the confidentiality, integrity, and availability of (their) information systems.”
Writing in Insurance Journal, the attorneys go on to list the rule’s broad requirements, which include:
- Designing a cybersecurity program,
- Implementing a cybersecurity program,
- Appointing a so-called chief information security officer (CISO),
- Applying privacy policies and procedures for third-party vendors,
- Assessing cybersecurity risks periodically, and
- Filing notice of a cyber breach within 72 hours of the event.
Reading this list, many insurance agents, financial advisors, and small insurance agencies may worry about their ability to comply with the law . . . at least without going broke. However, the insurance industry negotiated rule exemptions for firms with fewer than10 employees, less than $5 million in gross annual revenue in the past three years, or less than $10 million in year-end total assets. An exemption limits the number of required actions for these entities and prevents having to hire a CISO. But it does not remove the need to adopt a cybersecurity program or to do risk assessments. And producers and agencies have to apply for the exemption.
So what should insurance professionals and agencies do now? According to the Independent Insurance Agents & Brokers of New York, here are the the steps to take this year:
First, determine if you qualify for an exemption. If so, file for it using the New York DFS online process. Filing should take place as soon as possible, but no later than September 27, 2017.
Second covered entities (including those with exemptions) should plan on being in compliance with 23NYCRR, Part 500, by August 28, 2017. This involves . . .
- Completing a risk assessment. See IIABNY’s checklist.
- Establish a security program and policies. See IIABNY’s policy template (IIABNY membership required).
- Limit and periodically review assess privileges.
- Be prepared to give notice of a cybersecurity event using the NY DFS form.
- Preparing an incident response plan (non-exempt entities only).
- Hring a CISO (non-exempt entities only).
That’s it for 2017 compliance! But your New York cybersecurity worries aren’t over yet. There are three additional compliance requirements coming due in 2018. You can review those here. Until then, if you have further questions about the regulation, check out this FAQ. Good luck!