You might have noticed that cybersecurity issues are a little bit in the news these days. But, we’re not here to talk about Russian spies influencing US presidential elections (although that would be an interesting discussion). Rather, we’re here to talk about boring NY bureaucrats, who have just promulgated (for comment) 23 NYCRR 500, CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES that is set to go into effect on January 1, 2017 (yes, that’s less than 3 months from now). The proposed regulation is currently in its comment period and, if adopted, will apply to insurers who do more than $5,000,000 in gross revenue and are regulated by the NY Department of Financial Services. It will also likely serve as the blueprint for other states across the country. So what does the regulation propose to do?
Basically, to prevent and mitigate a “cybersecurity event”, i.e. an act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an information system, a regulated entity (like an insurance company) is obligated to ensure that non-public information (like names, dates of birth and social security numbers) are protected. To do that, you must:
(1) develop and implement a cybersecurity program that includes penetration testing, vulnerability assessments, an audit trail system, access privilege limitations, application security, risk assessments, a data retention policy, encryption of nonpublic information and an incident response plan;
(2) develop and implement a cybersecurity policy that includes training and monitoring;
(3) have a chief information security officer (and other personnel); and
(4) have a third-party information security policy that will apply to all third-parties doing business with the insurer.
But, you might ask, what does this really mean for me? It means that you’re going to need a bigger boat (to paraphrase Jaws) if you want to stay ahead of this shark and avoid fines and penalties by the NY Department of Financial Services (and also avoid lawsuits where failure to follow the NY regulations will serve as a blueprint for what you were supposed to do and failed to do). Insurers and their vendors (like attorneys) have in their possession voluminous amounts of information (like medical records, discovery responses and transcripts) that include non-public information. Yet, how often is such information being transmitted by insurers to their attorneys (and from attorneys to their insurers) in unsecured ways? How many insurers are capable of downloading and adding to their files information that is sent by attorneys in secured ways (e.g. via Sharefile — which is our preferred data transmission method at WCM)? I think the answer is “not as many as you would hope.” We here at WCM are happy to help work with you as to what you need to do (and to do what we can for you to help ensure compliance). But, there’s a lot of work to be done and not a lot of time to start doing it.
For more information about this post please e-mail Bob Cosgrove .
Editors Note — Due to public outcry, implementation of the regulations has been delayed to March 1, 2017. The shark remains in the water, but there is not yet blood.