Whether it is a data breach of a corporation's computer systems or alleged hacking by foreign governments, Cybersecurity and Privacy issues seem to bombard us daily. As counsel for insurance companies, it is important to stay abreast of cybersecurity regulations and requirements that have an impact on our clients.
New York is considered to have been at the forefront of cybersecurity regulation when the New York State Department of Financial Services ("DFS") promulgated the Cybersecurity Requirements for Financial Services Companies and when the requirements were ultimately adopted with an effective date of March 1, 2017. Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations of the State of New York ("Regulation 500") was specifically in response to the "growing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors." 23 NYCRR 500.00. In response to the threat, Regulation 500 "requires each company to assess its specific risk profile and be responsible for the organization's cybersecurity program…[in order to] ensure the safety and soundness of the institution and protect its customers." Id. A "Covered Entity" under Regulation 500 is broadly defined to include those operating "under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law." 23 NYCRR 500.01(c).
The provisions of Regulation 500 were set to be implemented over certain transitional periods. While some Covered Entities have been diligently working to protect customer's private information for years and have been attempting to comply with Regulation 500 at least since it became effective on March 1, 2017, certain key deadlines are approaching on February 15, 2018 and March 1, 2018.
February 15, 2018 will be the due date of the first annual certification that the Covered Entity is in compliance with Regulation 500. The Certification must be signed by a board member or senior officer. The signing of the Certification carries great responsibility as the DFS has broad investigative authority.
March 1, 2018 will be the first anniversary of the Regulation's effective date and, therefore, will be the date by which certain annual requirements must be met. These requirements are set forth in 23 NYCRR 500.22 (b)(1):
- Report by the Chief Information Security Officer ("CISO") to a governing entity within the company (e.g. Board of Directors, senior officer responsible for cybersecurity) on the Covered Entity's cybersecurity program and any material cybersecurity risks--NYCRR 500.04(b)
- Penetration Testing of the Covered Entity's information systems; NYCRR 500.05
- Risk Assessment of the Covered Entity's information system designed to allow for revisions in light of "technological developments and evolving threats"--NYCRR 500:09
- Multi-Factor or Risk-Based Authentication are examples of "effective controls" that must be in place to protect nonpublic information--NYCRR 500:12
- Cybersecurity Training program must be updated and in place for all personnel--NYCRR 500.14(b)
In addition to the actions by New York, in October 2017 the National Association of Insurance Commissioners adopted its own proposed law/regulation entitled the Insurance Data Security Model Law which means that more and more states are likely to adopt cybersecurity regulations or laws. As this happens it will be incumbent on us as insurance counsel to remain abreast of the ever-changing nature of cybersecurity and how the governing laws/regulations apply to cybersecurity issues.