[BreachExchange] Cybersecurity and Insurers

Audrey McNeil audrey at riskbasedsecurity.com
Thu Feb 15 18:51:07 EST 2018


Whether it is a data breach of a corporation's computer systems or alleged
hacking by foreign governments, Cybersecurity and Privacy issues seem to
bombard us daily. As counsel for insurance companies, it is important to
stay abreast of cybersecurity regulations and requirements that have an
impact on our clients.

New York is considered to have been at the forefront of cybersecurity
regulation when the New York State Department of Financial Services ("DFS")
promulgated the Cybersecurity Requirements for Financial Services Companies
and when the requirements were ultimately adopted with an effective date of
March 1, 2017. Part 500 of Title 23 of the Official Compilation of Codes,
Rules and Regulations of the State of New York ("Regulation 500") was
specifically in response to the "growing threat posed to information and
financial systems by nation-states, terrorist organizations and independent
criminal actors." 23 NYCRR 500.00. In response to the threat, Regulation
500 "requires each company to assess its specific risk profile and be
responsible for the organization's cybersecurity program…[in order to]
ensure the safety and soundness of the institution and protect its
customers." Id. A "Covered Entity" under Regulation 500 is broadly defined
to include those operating "under or required to operate under a license,
registration, charter, certificate, permit, accreditation or similar
authorization under the Banking Law, the Insurance Law or the Financial
Services Law." 23 NYCRR 500.01(c).

The provisions of Regulation 500 were set to be implemented over certain
transitional periods. While some Covered Entities have been diligently
working to protect customer's private information for years and have been
attempting to comply with Regulation 500 at least since it became effective
on March 1, 2017, certain key deadlines are approaching on February 15,
2018 and March 1, 2018.

February 15, 2018 will be the due date of the first annual certification
that the Covered Entity is in compliance with Regulation 500. The
Certification must be signed by a board member or senior officer. The
signing of the Certification carries great responsibility as the DFS has
broad investigative authority.

March 1, 2018 will be the first anniversary of the Regulation's effective
date and, therefore, will be the date by which certain annual requirements
must be met. These requirements are set forth in 23 NYCRR 500.22 (b)(1):

- Report by the Chief Information Security Officer ("CISO") to a governing
entity within the company (e.g. Board of Directors, senior officer
responsible for cybersecurity) on the Covered Entity's cybersecurity
program and any material cybersecurity risks--NYCRR 500.04(b)
- Penetration Testing of the Covered Entity's information systems; NYCRR
- Risk Assessment of the Covered Entity's information system designed to
allow for revisions in light of "technological developments and evolving
threats"--NYCRR 500:09
- Multi-Factor or Risk-Based Authentication are examples of "effective
controls" that must be in place to protect nonpublic information--NYCRR
- Cybersecurity Training program must be updated and in place for all
personnel--NYCRR 500.14(b)

In addition to the actions by New York, in October 2017 the National
Association of Insurance Commissioners adopted its own proposed
law/regulation entitled the Insurance Data Security Model Law which means
that more and more states are likely to adopt cybersecurity regulations or
laws. As this happens it will be incumbent on us as insurance counsel to
remain abreast of the ever-changing nature of cybersecurity and how the
governing laws/regulations apply to cybersecurity issues.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180215/a028c3a3/attachment.html>

More information about the BreachExchange mailing list