New York State's new cybersecurity regulation effect on insurance agents

In 2017, New York State is planning on implementing new cybersecurity regulations on financial services companies.   Initially, the regulations were going to apply to all insurance agents, regardless of their size.  However, the insurance agent advocacy firm, IIABNY, suggested during in-person meetings with NYS that it lessen the burden on smaller insurance agents.   

The original proposal from NYS would have required most agencies, even small ones with one or two employees, to comply with the new cybersecurity regulations. IIABNY met with DFS representatives in October of 2016 to explain that the majority of IIABNY's members had fewer than 8 employees and these small insurance agencies simply could not comply with the requirements proposed by the new regulation. Specifically, IIABNY suggested that the limited exemption be based on number of employees, and not the number of customers as proposed. IIABNY also suggested that the limited exemption be changed so that agents would only have to meet one of the three listed criteria (employees, revenue or assets) instead of all three. The DFS accepted all of IIABNY's recommendations for this section.

The most important change broadens the limited exemption to include agents with:

• fewer than 10 employees (instead of 1,000 customers), OR (instead of AND)
• less than $5 million in gross annual revenue, OR
• less than $10 million in year-end total assets.

The limited exemption has also been expanded to employees, agents and representatives of a Covered Entity to the extent they are covered by the cybersecurity program of the Covered Entity, and to Covered Entities that do not directly or indirectly operate, maintain, utilize or control Information Systems.

This revised definition will exempt the majority of IIABNY members from many of the more onerous requirements in the regulation including:

• penetration testing and vulnerability assessments,
• establishment of an audit trail,
• employment of cybersecurity personnel,
• training of employees and monitoring of authorized users,
• multi-factor authentication,
• encryption of data at rest and in transit,
• application security,
• designation of a Chief Information Security Officer (CISO); and
• development of an incident response plan. 

Entities qualifying for the limited exemption will still be required to comply with certain provisions of the regulation. These include:

• Establishing a cybersecurity program and implement cybersecurity policies designed to protect its Information Systems
• Limiting and periodically reviewing access privileges;
• Conducting periodic Risk Assessments of Information Systems;
• Implementing policies and procedures to secure information accessible to Third Party Service Providers;
• Establishing policies for disposal of Nonpublic Information no longer needed; and
• Providing notice to the Superintendent of a Cybersecurity Event;

Covered entities claiming the exemption will be required to file an exemption notice with the DFS.

The regulation will take effect on March 1, 2017 with 180 days for compliance (September 1, 2017). However, additional transition periods have been added to the revised proposal to provide outside deadlines for compliance with specific requirements of the regulation.

One such transitional period applies to the requirement to establish policies for dealing with Third Party Service Providers. This provision would not take effect for two years, or until March 1, 2019.

The revised proposal is subject to 30-day comment period during which affected parties may comment. IIABNY may seek additional changes, but is pleased that its efforts to effect meaningful change have paid off.

All in all, this is a huge win for New York based insurance agencies that are smaller and don't have the capacity to implement such rigorous standards.