New York cyber security law serves as modelReprints
New York’s cyber security regulation could serve as a model for how other states can ensure insurers and other regulated companies protect consumers and themselves from cyber breaches.
The final rule, which will become effective March 1, requires companies to put in place controls to ensure a robust cyber security program and has evolved significantly since the original proposal was published in September 2016. While the department will still require all covered entities to maintain a cyber security program to protect the confidentiality, integrity and availability of their information systems, the department will now allow the programs to be based on the individual entity’s risk assessment — a critical change according to experts who called the original proposal inflexible and a one-size-fits all approach.
“That risk-based approach is really the most important improvement that was made over this whole review process,” said Alison Cooper, Albany, New York-based Northeast region vice president for the American Insurance Association.
But the department maintained some parts of the rule that had been criticized, including challenges to the scope of the regulation, which applies to all entities licensed by the department, and an “overbroad” definition of information systems to be protected.
“Even though the requirements are now more flexible and more individualized, they’re still going to be onerous for every company,” said Theodore Augustinos, a Hartford, Connecticut-based partner with Locke Lord L.L.P. “Even licensees that are exempt have to do something, they have to file for an exemption. Most companies will have lots of work to do over the next two years to be in compliance.”
New York’s new cyber requirements can be a model law for other states to adopt as regulators and legislators work to guard against cyber threats, according to a briefing by A.M. Best Co. released on Friday. The Oldwick, New Jersey-based rating agency has highlighted the risk cyber threats pose to insurers and asked companies to complete a specific cyber security questionnaire with relevant questions about how they protect themselves and policyholders against potential cyber attacks.
“A.M. Best realizes that many affected companies are expected to face challenges to implement an effective program within the required timelines,” the company said. “However, A.M. Best believes that in today’s advanced digital environment, new and improved regulations in this area are necessary to address the ever-increasing cyber threats.”
No other state is currently considering any regulation as prescriptive as New York’s regulation, with most other states focusing on data breaches and amending existing law to include more information such as expanding the definition of personal information to include user names and passwords, said Alex Hageli, Chicago-based director, personal lines policy and cyber expert for the Property Casualty Insurers Association of America. The National Association of Insurance Commissioners is developing a model cyber security law.
“It’s unclear what’s going to happen with that initiative at the NAIC,” he said. “That’s really the closest example … and even then, it’s not nearly as detailed and prescriptive as the New York regs are.”
Despite the lingering concerns, however, the New York department received praise for its willingness to conduct a second comment period, seriously consider the feedback provided by stakeholders and amend its proposal to address some of the overarching concerns.
“I don’t see this as a gotcha exercise,” said Andrew Holland, leader of the insurance regulatory practice at Sidley Austin L.L.P. based in New York. “I don’t think the department really wants to find lots of evidence of non-compliance and to assess big fines. They just want people to comply. They really want what they think are the strongest measures to protect the customers and to protect the companies themselves.”