Implementation deadline nears for major cyber security ruleReprints
The New York State Department of Financial Services’ new cyber security regulations are putting a strain on insurers and brokers as they move toward compliance with the rules designed to improve cyber security among “covered entities” and their vendors.
The department’s cyber security regulation requires banks, insurers and other financial services institutions that it regulates to have a cyber security program designed to protect consumers’ private data; a written policy or policies that are approved by the board or a senior officer; a chief information security officer to help protect data and systems; and controls and plans in place to help ensure the safety and soundness of New York’s financial services industry.
Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations of the State of New York, otherwise known as 23 NYCRR Part 500, became effective March 1, 2017, and the 180-day transitional period ended Aug. 28, when covered entities were required to be in compliance with requirements of Part 500 unless otherwise specified. Covered entities are required to submit the first certification by Feb. 15, 2018, according to the department.
Part 500 is “designed to promote the protection of customer information as well as the information technology systems of regulated entities. This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion,” according to the regulation.
Insurers and brokers have faced challenges along the road to compliance, according to several of those involved in the process.
“Insurers and brokers, compared with their banking counterparts, which have been practicing sophisticated cyber security for years, are playing catch-up because they’ve never had to be as secure as banking regulators have forced banks to be,” said Scott Corzine, senior managing director with Ankura Consulting Group L.L.C. in New York.
Part of the burden is managing insurers’ and brokers’ vendors, which must also comply with the new standards, experts say.
“Compliance with the vendor management provisions has led to challenges,” said James Gkonos, special counsel with Saul Ewing Arnstein & Lehr L.L.P. in Philadelphia. “As part of the requirement that covered entities ensure compliance by third-party vendors, they must track compliance. Many companies have neither done this in the past nor dedicated the resources to this task, so this new requirement is proving to be a challenge.”
“The biggest unknown and difficulty factor for insurers and brokers to get over is how they identify third-party information parties, which are addressed in Part 500,” Mr. Corzine said. “They must risk-assess vendors and set minimum standards. They must go into the field and validate vendor cyber security, and must do it regularly. That’s a bear.”
Mr. Gkonos adds that there may also be a time crunch involved.
“For companies with many contracts with affected third-party vendors, the logistics of renegotiating these contracts within the prescribed time frame could be daunting,” he said.
There will likely also be more work for some companies’ board members.
“Undoubtedly, there are new responsibilities that will apply to the boards of the regulated companies,” said Matt McCabe, senior vice president in Marsh USA Inc.’s cyber practice in New York. “It’s yet another burden on the board and something else operational that they have to carry.”
“Firms have been assessing their cyber security organizational structure and determining the appropriate placement and reporting lines of the CISO. This includes special attention being paid to the independence of the CISO,” said Jaime Kahan, advisory services principal with Ernst & Young L.L.P. in New York.
“As noted in EY’s 2017 Chief Risk Officer Survey, boards have been aware of cyber threats for several years, but in 2016 and 2017 the survey identified a significant increase in organizational awareness and concern from all of those involved in the survey.” Although insurers and brokers will have to dedicate time and resources to compliance, an ounce of prevention could be worth a pound of cure given the potential extent of cyber breach damage, sources said.
“The potential damage and existential threat from a cyber event is a very powerful reason for focus in this area,” said Ms. Kahan.
“With the average cost of a data breach and regulatory defense and fines rising dramatically, NY Reg 500 is a much-needed and fundamentally sound regulation that aligns well with good information security standards like ISO 27001 and NIST 800,” said Karen Painter Randall, partner and chair of cyber security and data privacy, and co-chair of professional liability with Connell Foley L.L.P. in Roseland, New Jersey.
The ISO/IEC 27000 family of standards helps organizations keep information assets secure, according to the International Organization for Standardization.
NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, from the National Institute of Standards and Technology was “developed by NIST to further its statutory responsibilities under the Federal Information Security Management Act ... NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems.”
Ms. Randall added that “once implemented and executed, it will notably reduce a covered entity’s risk of data breaches and other common cyber security incidents resulting in the protection of consumers’ personally identifiable information and reduced legal and regulatory exposure.”
The New York regulation could even spark the creation of similar state regimes, some sources said.
“You’d expect other states to issue new regulations, and what this will lead to is a mosaic of cyber regulations across the country,” said Mr. McCabe. “Large organizations which are subject to multiple jurisdictions have to meet every one of those regulatory guidelines.”
“At a state level, other states such as Kentucky and Colorado have proposed cyber security requirements for financial institutions in their state,” said Ms. Kahan.