State's 'onerous' cyber regulations viewed as good security practices

While the cyber regulations from the New York State Department of Financial Services have drawn comments such as “onerous” and “draconian,” some experts suggest the rules represent sound business practices likely underway at many insurers.

The New York regulation is “aligned with good security practices I would expect a company concerned about security would be doing anyway,” said John Germain, chief information security officer for Duck Creek Technologies LLC. “These are good practices to have in place whether there is a requirement or not.” 

“What I saw in this regulation are things that have always risen to the top,” Mr. Germain added. “Strong governance, the ability to manage access, and have an audit trail.”

Insurers are accustomed to regulation and likely had cyber on the radar already, according to Matt McCabe, a senior vice president in New York within Marsh’s U.S. cyber practice. “I think most financial institutions already were examining what their cyber risks were,” Mr. McCabe said. “This is an industry that is used to dealing with a high degree of compliance.”

“I think that most companies were already establishing cybersecurity policies,” said Scott D. Fischer, a New York-based partner with Morgan, Lewis & Bockius LLP and the former executive deputy superintendent for insurance at the department. “The fact that there is now a regulatory requirement to make all companies take action is a good thing for the industry as a whole.”