Other parts of this series:
Earlier this year, New York became the first state in the nation to issue cybersecurity regulation designed to protect insurers and financial institutions, information technology systems and customers’ data from cybercrime.
The rules require insurers, banks and financial institutions to scrutinize security at third-party vendors that provide them goods and services, and outlines guidelines for basic cybersecurity standards, including the following key steps:
- Designate a chief information security officer (CISO);
- Create an intensive response plan for security breaches;
- Conduct annual self-evaluations of their cybersecurity vulnerabilities and develop corresponding updated security plans;
- Require that employees go through cybersecurity training;
- Report cybersecurity events to the state within 72 hours of discovery.
A month after the rules went into effect; New York’s top financial regulator urged the National Association of Insurance Commissioners (NAIC) to use the regulation as the basis of a nationwide model law.
“We believe the best way for industry to focus on the threat of cybersecurity is to have a consistent framework,” said Maria Vullo, superintendent of the New York State Department of Financial Services at a meeting of the NAIC in Denver. “The New York regulation is a road map with rules of the road.”
A task force of the NAIC has been developing a model cybersecurity law since 2016, which individual states can ultimately choose to adopt. The model law would establish standards for data security and notification of a data breach, and would apply to not just insurers, but agents, brokers and other parties. However, insurance commissioners so far have been unable to reach a consensus on several points, including standards for circumstances in which insurers must notify customers of a breach.
Some insurers also point to challenges and concerns regarding the New York rules. Bernie Heinze, executive director at the American Association of Managing General Agents (AAMGA), explained what compliance with the regulation may mean for their members in terms of cost: “We’re looking at estimates between $65,000 and $85,000 per year of added costs of either employing or designating somebody as a chief information security officer and annual costs of risk analysis and penetration testing – those are specialized skills. This is not usually something main street insurance agents, brokers or wholesale specialty insurers will have around.”
It will be interesting to watch the compliance journey of our peers in New York, and whether the NAIC will come to a consensus on the model law soon.
Coming up next, we will look into another aspect of cybersecurity: the challenges of underwriting for cyber risk.