The deadline for final compliance with cybersecurity regulations issued by the New York State Department of Financial Services is fast approaching, but a requirement that insurers certify their vendors’ cyber standards has proven daunting, experts say.

But overall, the regulations are seen as benefiting the insurance sector and have propelled a regulatory movement to address cyber risk to the next level, experts say.

The department declined to comment on the March 1 deadline.

The third-party vendor requirement can be one of the major challenges of the regulation due to the scope that may be involved, said Jessica Robinson, CEO of technology consultancy PurePoint International in New York, who works with financial institutions, insurers and others to design and implement cybersecurity plans similar to those called for in the New York regulations.

Vendor compliance is an “enormously more difficult task” than an organization’s own compliance, said Scott Corzine, senior managing director with Ankura Consulting Group LLC in New York. “It may be hard enough to get a handle on your own internal cyber risks, but when you have third parties, it’s really tough.” 

A company could have hundreds or thousands of vendors, Mr. Corzine said. “Think about how many third parties touch an underwriter’s data or a broker’s data,” from software providers to third-party administrators.

“As a service provider, we have to be able to understand what our customers’ needs are going to be as far as the data owner,” said John Germain, chief information security officer for Duck Creek Technologies LLC. “They ultimately have the responsibility of protecting that data.” Just as an insurer can have multiple vendors, a vendor can have many customers with different needs.

“The interpretation of the requirement can vary from company to company,” Mr. Germain said. “If each company interprets these things the same way, we have to think about that. If not, now we’re introducing a ton of variation that we have to account for.”

Some see the New York law as seminal.

“What New York did was very bold,” Ms. Robinson said. “It was a wake-up call to many of the other states to ask themselves: ‘What are we doing.’”

States with cyber regulations include California with an effective date of Jan. 1, 2020, and South Carolina, which became effective Jan. 1, 2019, according to Ms. Robinson. “I think that a lot of states recognize how important it is,” she said.

“I think that many in the industry would acknowledge that the DFS taking the steps it took helped push the (National Association of Insurance Commissioners) to complete its work on its model law related to cybersecurity,” said Scott D. Fischer, a New York-based partner with Morgan, Lewis & Bockius LLP and the former executive deputy superintendent for insurance at the department.

The feedback process employed by the department was productive, according to some experts.

“Frankly, I think that if you asked around the New York industry, stakeholders believe the regulation’s development was a fairly collaborative process and resulted in a better product than the original draft,” Mr. Fischer said.

“The first draft DFS came out with was certainly more proscriptive and contained more mandates,” said Matt McCabe, a senior vice president in New York within Marsh’s U.S. cyber practice. “I think they listened to their regulated institutions saying that cyber requires flexibility.”

The New York regulations can also be seen against a broader backdrop of heightened regulatory scrutiny for cyber, experts say.

“There’s an increased regulatory environment nationally and globally, so it’s something many businesses are paying attention to,” said Ms. Robinson.

“There have been a whole host of jurisdictions and governments at the state and federal level and internationally that are rolling out new cyber regulations,” Mr. McCabe said.

“I think there’s a trend among regulators to have interest in creating cybersecurity mandates,” Mr. McCabe added.

“There have been a lot of regulatory concerns that have come up lately; New York is one of them,” Mr. Germain said.

“When you talk about risk, this all comes down to risk and who’s responsible,” he added.

Approaching the regulations and cyber risk in general requires input from a company’s risk manager or he or she should at least be part of the firm’s strategy, according to experts.

“Cybersecurity rises to the level of enterprise risk, especially for the financial industry,” Mr. Germain said. “From a governing perspective, the risk manager should be a part of the governing body around how these issues are addressed.”

“I would agree that risk management needs to be involved in the enterprisewide, cyber-risk discussion,” Mr. McCabe said.

Putting the risk manager in the communications loop “should be 101 stuff,” Mr. Corzine said. “How do you as a risk manager design a risk management process if you’re in charge of enterprise risk management? How do you look at cyber from the ERM perspective?”