New Cybersecurity Regs Will Not be Limited to New York: Extra-Territorial Application for the Insurer and its 3rd Parties
August 28, 2017 marks the first of several rapidly approaching implementation deadlines for “covered entities” subject to the new cybersecurity regulations promulgated in March by the New York Department of Financial Services (“NYDFS”). With a few limited scope exemptions based on size, revenue, assets, and structure, 23 NYCRR Part 500 establishes minimum cybersecurity requirements for approximately 4,500 DFS regulated licensees, and the sweeping new rules will de facto extend to third-party service providers and authorized users beyond the Empire State’s borders.
New Requirements for Covered Entities
At their core, the new regulations will require each covered entity to maintain a formal, documented cybersecurity program designed to protect the confidentiality, integrity, and availability of its information systems and nonpublic information. The program will be expected to identify, detect, assess, protect, respond, and recover from cybersecurity events, and must be made available to the NYDFS Superintendent upon request. Although covered entities will be free to design their own programs or hire third-party experts, the requirements include, at a minimum: (i) designation of a qualified Chief Information Security Officer (“CISO”); (ii) employee training programs; (iii) periodic penetration testing; (iv) periodic risk assessments; (v) multi-factor authentication; (vi) audit trails; (vii) application security; (viii) data retention practices; (ix) monitoring of authorized and unauthorized users; and (x) encryption of certain non-public information. Covered entities’ Senior Management will be required to certify compliance on an annual basis no later than February 15, 2018, and must commit to notify NYDFS of “reportable” events as promptly as possible and in no event later than 72 hours from a determination of reportability.
New Guidelines for Doing Business with Covered Entities
The regulations further require covered entities to develop written policies and procedures to govern information accessible to or held by third-party service providers. Although based on the same Risk Assessment that underlies the covered entity’s own required cybersecurity program and policy, the third-party service provider guidelines are only required to address, to the extent applicable: (i) access controls; (ii) multi-factor authentication; (iii) encryption, (iv) notices; and (v) representations and warranties. In a subsequent FAQ document, NYDFS has indicated that it is incumbent upon the covered entity to make a risk assessment regarding the appropriate controls for third-party service providers, “based on the individual facts and circumstances presented.” In effect, the regulation indirectly compels any third-party service provider anywhere to conform in order to do business with a New York bank, insurance company, or other regulated financial institution because they are held to the covered entity standard.
The First Domino to Fall, Certainly not the Last
Although NYDFS was the first U.S. financial regulator to enact cybersecurity regulations, recent months have seen data security proposals from regulators in Colorado and Vermont, and earlier this week, the National Association of Insurance Commissioners (NAIC) Innovation and Technology Task Force voted to adopt the new Insurance Data Security Model Act which includes many provisions similar to the NYDFS regulation. The model act will be considered by state legislatures, many of which may have already enacted general cyber/data protection laws, over the next several years, so the development of systems and standards for the protection of insurance company and consumer data is certain to remain a hot-button in the U.S. as well as in the international insurance market.
The attorneys of Frost Brown Todd’s Insurance Industry Group have spent decades guiding our clients through legal and regulatory changes across the insurance, technology, and data security industries. For additional details and assistance in complying with these and other forthcoming insurance regulatory developments, please do not hesitate to contact Greg Mitchell (firstname.lastname@example.org) or Anthony Cotto (email@example.com).
Additional Upcoming Deadlines from NYDFS Regulation
September 27, 2017 – Deadline for filing notices seeking limited exemptions.
February 15, 2018 – Deadline for submission of first certification of compliance.
March 1, 2018 – Deadline for full compliance with CISO reporting, penetration testing, risk assessment, multi-factor authentication, and training program provisions.
September 3, 2018 – Deadline for full compliance with audit trail, application security, data retention, user monitoring, and encryption provisions.
March 1, 2019 – Deadline for full compliance with third-party vendor provisions.
Post a comment:
Ask the Blogger
Do you have a topic that you would like discussed in a future blog article? Please let us know. If you have a confidential question regarding a blog article, please feel free to contact the article's author directly, or let us know if you would like for someone to contact you directly.
Christopher C. Tieke is an associate in Frost Brown Todd's Louisville office, focusing his practice on business litigation. He graduated from the University of Cincinnati College of Law, with magna cum laude honors; served as an Associate Member of the University of Cincinnati Law Review; and participated in the Entrepreneurship and Community Development Clinic.