Sheila Coolidge, Senior Insurance Compliance Analyst
On March 1, 2017, New York State Department of Financial Services (DFS) implemented benchmark regulations governing financial institutions and cybersecurity. Based on the serious nature of cyber security breaches that risk consumers’ personal information as well as insurers’ information technology (IT) systems, financial service entities doing business in New York (with exemptions for small companies), including insurance companies, affiliates and third party service providers, must comply with comprehensive new minimum cyber security standards within a relatively tight time frame. The Regulation contains a general 180-day transitional period for compliance (September 1, 2017), along with specified extensions for certain provisions, and requires that the insurer’s first annual Certification of Compliance (attached to the regulation as Appendix A) must be submitted by February 15, 2018. In other words, insurers doing business in New York are advised to prioritize review of existing cyber security programs and development of regulatory compliance action plans. Insurers not doing business in New York are also advised to pay close attention to these regulations as they are likely to have a far-reaching impact beyond the state line.
The regulations set forth minimum requirements for the insurer to build and maintain an effective and comprehensive cyber risk security program. Insurer must address the following compliance actions:
The heart of the regulation is that the insurer must develop and maintain a cybersecurity program, based on a proscribed “risk assessment” exercise, designed to protect the confidentiality, integrity and availability of its IT systems. The insurer is required to self-assess internal and external cybersecurity risks that may threaten the security or integrity of stored nonpublic information and IT systems from unauthorized access, use or other malicious acts, and its ability to detect, respond and recover from cybersecurity events. Additionally, the cybersecurity program must address data retention limitations; training and monitoring of company personnel; data encryption (or alternative controls) of nonpublic information in transit and at rest; and an incident response plan.
Central to compliance is the requirement that the insurer conduct periodic “risk assessments,” as defined by the regulation, of its IT systems, nonpublic information and business operations upon which the cybersecurity program is designed. There is no “standard” or “model” risk assessment; instead, the law is intended to allow the insurer to evaluate its risks and controls, and periodically update its risk assessment based upon technological developments and evolving cybersecurity threats to the insurer’s particular business operations.
Each insurer must implement and maintain comprehensive written internal policies and procedures, approved by a Senior Officer or the Board of Directors, for the protection of IT systems and stored nonpublic information. Written policies must be developed based on the insurer’s proscribed risk assessment. Policies and procedures must address specified topics, as applicable to business operations, that include data governance and classification; asset inventory and device management; access controls and identity management; business continuity and disaster recovery planning and resources; systems and network security and monitoring; customer data privacy; vendor and third party service provider management; and incident response. All relevant cybersecurity program documentation and information supporting the annual Certification of Compliance must be maintained for at least five years and must be made available to the DFS Superintendent upon request.
Each insurer must designate a qualified individual responsible for overseeing, implementing and enforcing the company’s cybersecurity program, and for providing annual written reports to the Board of Directors. The regulations permit the CISO to be an employee of the insurer, one of its affiliates or a third party service provider, under specified conditions.
Each insurer is responsible for oversight of third party service providers – such as IT contractors, law firms, accounting firms, health care administrators – that have access to information systems and stored nonpublic information. The insurer must develop detailed written policies and procedures, based upon the insurer’s risk assessment, that address current and periodic evaluation of third party service provider risk identification and assessment and establish minimum cybersecurity practices required to do business with the insurer.
The Regulations also address requirements for business continuity and notifications in the event of a breach.
Each insurer must report a “cybersecurity event” to the DFS within 72 hours of determination of an occurrence that either has a reasonable likelihood of materially harming a material part of normal business operations, or must otherwise be reported to a governmental authority.
Each insurer must develop a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event materially affecting the confidentiality, integrity or availability of its information systems or the continuing functionality of any aspect of its business or operations.
The DFS cyber security regulations were adopted after two rounds of public comments on earlier proposed versions. Most industry comments expressed concerns that the regulation was too burdensome and overly broad; however, the DFS considers the minimum standards to be warranted given the serious nature of cybersecurity risk. Due to the tight compliance time table, insurers that write business in New York need to take action now. Company senior management, legal, compliance, information systems, and policy management staff (including all who deal with vendors and third party administrative personnel) must closely review these regulatory requirements and design and implement a cybersecurity program that addresses all associated regulatory requirements. On the insurance product side, underwriting and product development staff of insurers that write cyber insurance coverage may want to review the regulations as potential guidelines for cyber risk assessment and risk management procedures, as they are likely to be viewed as the template for industry best practices.
Regardless of whether your company does business in New York, all insurers should pay attention to these regulations, as they are expected to have a significant impact on emerging national cybersecurity regulatory efforts, which may include the pending National Association of Insurance Commissioners (NAIC) cyber security draft model law. As the DFS begins regulating and enforcing insurer compliance with these cyber insurance regulations, other state legislators and regulators will take notice and are likely to enact and enforce similar legislation.
Editor’s Recommendation: Keep up to date with emerging cyber security regulation with OneSumX NILS INsource.