New York State Gives Insurers Some Breathing Room by Pushing Back Start Date for New Cybersecurity Regulations

Mitch Wein

Just before the end of the last calendar year, the New York State Department of Financial Services announced changes to its new cybersecurity regulations, pushing back the date they will take effect to March 2017 from January 2017. In December, we held a working group on the imminent New York State cybersecurity regulations, then due to become effective on January 1, 2017, with no penalties for not complying until July 1, 2017. One of the attendees who had participated in a number of recent AIA calls and an in-person meeting on the law said that New York State was considering an additional 6 month delay beyond the 6 months after the law goes into effect to mandate deployment of multi-factor authentication, which was a huge issue for most carriers. Within that draft, encryption in-transit and at-rest was not going be required to be deployed for 5 years; however compensating controls would be expected in the interim. The conversation covered the cost to comply, how to make decisions on what to deploy vs. what can be skipped, and cloud; does cloud increase or decrease risk. There was a discussion of “accumulation risk” caused by a cloud; a hack of the cloud could automatically trigger a security event for everyone in the cloud. There was a large discussion around the responsibilities of carrier partners, whether they are MGA’s or agents on the distribution side or outsourcers and other service providers on the service side. There was a clear consensus that the carrier is responsible for security if they are manufacturing products that provide coverage (even if someone else has the right to underwrite and bind the policy). We had a good conversation around what will need to be reported to the CEO and Board (a high level dashboard supported by details). There were areas of concern around reporting; it would need to include both successful and unsuccessful security events. Things like attempted phishing attacks through email (even if blocked at the firewall) would have need to be reported under the regulations.

There was also a discussion around European security laws and how they overlap or are different with New York State laws. The revised regulations responded to these types of concerns and include easing some specific timelines and requirements, especially around encrypting data and multi-factor authentication. They also provide more time for compliance, expanding the transition window from six months to as long as two years for most items. The effective date will now be March 1, 2017. Although the easing of the regulations will take some pressure off, the need to do a NIST assessment, and the requirement to put in proper technical solutions, processes, procedures, metrics and reporting all remain.