Insurance Professionals Face N.Y. Cyber Requirements

By Juliette Fairley InsuranceNewsNet

The New York Department of Financial Services is requiring more than 3,000 financial institutions to implement a formal cybersecurity policy to address the rising threat of cyberattacks.

“For companies that are not that heavily regulated, such as mortgage brokers, insurance agents and licensed lenders, this regulation will present many new issues that they probably hadn't considered before,” said Joseph Simon, an attorney and partner at Cullen and Dykman in Garden City, N.Y. “It will impose significant new obligations on financial service companies that are covered entities.”

Under the new rules, covered entities, such as insurance companies, agencies, insurance brokerage firms and individual insurance professionals licensed to do business in New York, are required to maintain a written cybersecurity policy and conduct regular risk assessments within company-focused cyber security programs.

“Smaller insurance firms and insurance individuals are more vulnerable to a cyber attack or an event happening as opposed to a larger insurance corporation,” said Harris Tsangaris, vice president of corporate development with NFP, an insurance brokerage and consultant company. “My advice to them is just because you're small doesn't mean you're immune to any breaches.”

Insurance businesses and insurance professionals who do not maintain office space in New York are also subject to the new rules.

“It seems likely that there will be some universe of entities that will opt to relinquish licenses as opposed to comply with the regulation,” said Wes Bissett, senior counsel of government affairs with the Independent Insurance Agents & Brokers of America (IIABA) in Washington, D.C. “That's a reasonable expectation.”

Of the 27,000 licensed insurance agencies or firms in the U.S., 17,000 are in the State of New York alone and 10,000 are non-residents but maintain a New York license, according to IIABA.
Tsangaris said it would be wise for any agent or agency to consider strengthening their security.

“Cyber-readiness is something that everyone should be considering because the threat doesn't only affect the target entity but it impacts the clients of that entity,” he said.
Independent insurance professionals are particularly vulnerable due to the tremendous amount of personal and confidential information they hold for their clients.

“If you're in financial planning or you're a life insurance salesperson, you have access to social security numbers and health records,” said Tsangaris. “That type of confidential information or personally-identifiable information is actually what hackers are looking to steal and sell. Social security numbers, obviously, are worth some money on the dark web.”

Juliette Fairley is a business and finance journalist who has written four personal finance books and has written for major news organizations. Juliette can be reached at [email protected].

Juliette Fairley is a business and finance journalist who has written four personal finance books for John Wiley & Sons and has written for The New York Times, The Wall Street Journal, The Street and many other publications. She is a member of the American Society of Journalists and Authors, the New York Financial Writers Association and a graduate of Columbia University's Graduate School of Journalism. Juliette can be reached at [email protected].