As you have undoubtedly read, New York Cybersecurity Regulation 23 NYCRR 500, the not so new cybersecurity regulation in New York, is in effect and applies to all New York licensed insurance agencies and agents, both resident and non-resident. Please see the New York Department of Financial Services (“DFS”) and our prior posts here & here. We have added some new information and key points to keep in mind:
- The first set of compliance requirements went into effect August 28, 2017, as noted by DFS (see here):
August 28, 2017 – the 180 day transitional period ends. Covered Entities are required to be in compliance with requirements of 23 NYCRR Part 500 unless otherwise specified.
- The regulation requires licensees to report hacking attempts to the state within 72 hours (see here).
- The deadline for filing exemptions has been pushed back to October 30, 2017 (see here & here).
- After October 30, the next compliance deadline is February 15, 2018 (see here).
Some reminders that we have learned along the way which may be helpful (which may apply differently to different entities, and may change in the future):
The regulation applies to any insurance agency and individual licensed in New York, even non-residents. So if an agency is not licensed in New York, but an individual is, the individual still must be compliant. And all NY licensees must comply; no one is exempt. There is an exemption provision, but it is not an exemption from the regulation. It exempts certain smaller licensees from a few of the requirements (see here, here & here).
NYS DFS defines a Covered Entity as any person who is licensed under NYS banking, financial, or insurance laws. Employees who are Covered Entities will need to file an exemption for their personal license or face penalties including license suspension or revocation.
Its requirements impose new obligations on every resident and nonresident insurance agency—and every resident and nonresident individual—licensed by New York.
The deadline for the first set of requirements was in August, but no filing was required at that time. So in theory compliance is required now, which may include, depending on exemptions (see here):
- Establishing a cybersecurity program,
- Creating and following a set of cybersecurity policies,
- Assigning a CISO,
- Limiting and periodically reviewing user access privileges,
- Hiring qualified cybersecurity personnel, and
- Establishing a written incident response plan.
As a specialty wholesale broker and underwriting manager focused on E&O, D&O, EPL & Cyber Risk, we have an interest in strong IT security. Cyber Risk Insurance is an important financial protection against cyber risk, and we have the expertise and resources to assist insurance agencies in providing comprehensive Cyber Risk Insurance to their clients. We also provide Cyber Risk Insurance and cyber risk management resources to our retail insurance agency clients.
Tennant Risk Services is a specialty wholesale broker and underwriting manager, and delivers expertise, markets and exemplary services to our retail insurance agent clients in the placement of professional liability and specialty insurance (E&O, D&O, EPL, Cyber Risk, Specialty). Cyber Risk Insurance is a specialty, and we excel at hard to place accounts. Review our expectations here.
Specialty Insurance Expertise: Tennant Risk Services
Content © Worldwide Facilities, LLC, 2005 - 2018 | All Rights Reserved.