Insurers Grappling With NY Cybersecurity Regs; More States To Follow

By John Hilton InsuranceNewsNet

Cybersecurity is back in the news as banks, insurers and other financial entities faced another tough compliance hurdle in New York.

The Sept. 4 deadline brought another host of requirements contained within New York's tough cybersecurity initiative approved last year. The New York Department of Financial Services passed its own rules without waiting for state insurance commissioners, who later amended its model law to resemble the New York effort.

“New York stepped into the void and took decisive action to ensure appropriate minimum standards protecting financial institutions’ data systems, including consumers’ sensitive personal information," said Maria T. Vullo, superintendent of the DFS. "These new protections, which include encryption, access controls and audit trails, add crucial tools to the regulation’s prior requirements in protecting the institutions and consumers.”

The deadline requires companies to have started mandatory annual reporting to the board by its Chief Information Security Officer on critical aspects of the cybersecurity program, and have an audit trail designed to reconstruct material financial transactions.

Also, companies must implement encryption to protect nonpublic information held or transmitted by the company. There are other requirements as well.

"There are penalties that could apply if you have not taken some of the measures that are defined in this regulation," said Patrick Knight, senior director of cyber strategy and technology for Veriato. "For example, if there is a breach, it’s specified that once a breach is identified you have a 72-hour window to start notifying those affected by it. Well, 72 hours can go by very quickly if you don’t know what you’re doing."

Spreading To Other States

New York might have gone first, but it will not be the last state to tackle cybersecurity regulations. As of May, there were at least 36 other states, including the District of Columbia and Puerto Rico, working on some type of regulation for cybersecurity in financial services, said Ari Vared, senior director of product at CyberPolicy and CoverHound.

"Overall, I think there’s a movement," he added. "Where it stands today is a moving target. Obviously, New York has put the strongest stake in the ground and is leading the way in a lot of ways."

New York found a way to limit the impact on smaller companies through exemptions.

Retail financial advisors with fewer than 1,000 customers, less than $5 million in gross annual revenue and less than $10 million in year-end assets benefit from a “limited exemption,” according to the NYDFS regulations.

But there are no exemptions for third parties doing business as affiliated service providers with banks, insurance companies and distributors.

"The larger organizations have the resources and the money to absorb this and it won’t be a big impact," said Jamie Pickles, general manager of insurance for Jornaya, a marketing and technology consulting company. "Smaller organizations are mostly exempt, so it will be the mid-sized companies that will be impacted the most."

New York regulators say the far-reaching proposal is necessary to protect the public interest. Recent data breaches point to network threats from abroad that are able to penetrate as deep as the U.S. election process.

Not Just Hackers

The cybersecurity regulations cover not just outside hackers. Companies are required to provide oversight of anyone who has access to their data.

"Organizations that are collecting data and have data on people stored in databases, they need to have monitoring of the people who have access to that information to make sure they’re handling it properly," Knight said.

"To make sure that they’re not downloading all of the contents of that database and taking it to a competitor. Or to post it on the dark web. This is the world we live in now."

The New York cybersecurity rules will take full effect in March 2019.

InsuranceNewsNet Senior Editor John Hilton has covered business and other beats in more than 20 years of daily journalism. John may be reached at [email protected]