Cyber Rules About to Get Real.

Posted on by

We have previously reported on NY’s onerous cyber rules. The rules go into effect by month’s end.

Specifically, n August 28, 2017, insurance companies that do business in NY will be obligated to institute policies and procedures that preserve and protect PII of clients, insureds, and other entities in accordance with 23 NYCRR §500 (et seq.). The rationale of the policy was explained by the Superintendent of the DFS:
Consumers must be confident that their sensitive nonpublic information is being protected and handled appropriately by the financial institutions that they are doing business with. DFS designed this groundbreaking proposed regulation on current principles and has built in the flexibility necessary to ensure that institutions can efficiently adapt to continued innovations and work to reduce vulnerabilities in their existing cybersecurity programs. Regulated entities will be held accountable and must annually certify compliance with this regulation by assessing their specific risk profiles and designing programs that vigorously address those risks.

Insurance companies, and other covered entities, are required to perform cybersecurity assessments in accordance with a written policy developed by the covered entity, that includes:
• An evaluation of encryption of data containing PII (both in transit and at-rest);
• The development of a Crisis Response Team (“CRT”) to respond to a breach;
• TFA or MFA;
• Identify and assess internal and external cybersecurity threats;
• Utilize defensive infrastructure in conjunction with appropriate policies and procedures to protect PII;
• Capability of detecting and responding to any intrusion;
• Ability to fulfill the statutorily required breach notification statutes.

Moreover, the regulations require a specific policy that regulates 14 different aspects of the covered entities operations. If this is not enough to develop specific in-house policies, the regulations also require that insurance companies ensure that other entities it does business with and transfers materials containing PII, to maintain and adhere to strict cybersecurity regulations that include a requirement for TFA, encryption, written policies, and periodic assessments of the efficacies and compliance to the policies. The insurance company is required to promulgate a policy for its third-party service providers that complies with the above requirements. If not, the insurance company may be held liable.

Furthermore, we note that this will soon be the policy in all 50 states. It is easier to implement these changes and requirements now as opposed to being forced to implement the policies at a rush and possibly not achieving full compliance.

Special thanks to Matt Care for his contributions to this post.

For more information about this post please e-mail Bob Cosgrove.