New regulations unveiled by New York state regulators go further than any other state in handling data security among financial services companies as well as the advisors who distribute financial products, legal experts said.
The New York Department of Financial Services (NYDFS) has proposed that “covered entities” employ a number of methods to protect themselves. These include having chief information security officers, “penetration testing” protocols, audit trails, access privileges risk assessments, third-party information security policies, multifactor authentication, encryption and incident response plans.
“The proposed NYDFS cybersecurity regulation presents a more comprehensive framework for cybersecurity than has been seen in any other U.S. jurisdiction,” wrote Drinker Biddle lawyers Thomas M. Dawson and Yulia Feldman, in a legal brief.
The rule, titled Cybersecurity Requirements for Financial Services Companies, is likely to come across as a hefty and expensive proposition for many insurance companies and their distribution networks.
But it is also one that regulators around the country as well as the National Association of Insurance Commissioners will be looking at closely as New York regulates a disproportionate number of insurance companies operating in the U.S.
Limited Exemptions for Agents
Retail financial advisors with fewer than 1,000 customers, less than $5 million in gross annual revenue and less than $10 million in year-end assets benefit from a “limited exemption,” according to the NYDFS regulations.
But there are no exemptions for third parties doing business as affiliated service providers with banks, insurance companies and distributors, said James R. Woods, co-leader of Mayer Brown’s Global Insurance Industry Group in New York.
Agents and advisors therefore should beware.
“Many insurance agents and brokers are small businesses, and it is unclear whether the de minimis exception has been sufficiently tailored to exclude, for instance, an independent agent who may be well under the revenue and asset thresholds but have more than 1,000 customers,” Woods wrote in a legal update to clients.
The regulation is subject to a 45-day public comment period following the Sept. 28 publication in the New York State Register.
Woods said that whatever the final outcome, agents and brokers should take precautions and seek help with a written security and breach response plan. This should entail a relatively small investment of time and resources.
“It’s good business and will help protect the agent-broker from possible hacks and, equally important, from regulatory scrutiny and or defense of litigation in connection with a hack,” Woods said in an interview last week.
Weighing Public Interest vs. Costs
New York regulators say the far-reaching proposal is necessary to protect the public interest. Recent data breaches have even pointed to network threats from abroad that appear to be able to penetrate as deep as the U.S. election process.
Regulators say structuring an accountability framework is paramount in a world where data travels over many networks and funneled through layers of intermediaries. However, the industry is likely to raise questions about the costs and who ultimately pays.
“Regulated entities will be held accountable and must annually certify compliance with this regulation by assessing their specific risk profiles and designing programs that vigorously address those risks,” NYDFS Superintendent Maria T. Vullo said.
Those risks are very real.
Scores of companies in many industries and thousands of people every year fall victim to data breaches. Some have paid a heavy price ranging from financial losses, altered identities and lost jobs to damaged brands and shredded reputations.
Nationwide retailer Target was the victim of a data breach in December 2013 following the theft of network credentials from a Pennsylvania-based HVAC vendor, and health insurer Anthem suffered a massive breach last year.
InsuranceNewsNet Senior Writer Cyril Tuohy has covered the financial services industry for more than 15 years. Cyril may be reached at [email protected].
© Entire contents copyright 2016 by InsuranceNewsNet.com Inc. All rights reserved. No part of this article may be reprinted without the expressed written consent from InsuranceNewsNet.com.