New York’s New Reg, Explained

Last week, the New York State Department of Financial Services (NYSDFS) published the final version of its cybersecurity rule, which takes effect on March 1, 2017. The Council’s outside counsel, Steptoe & Johnson, has provided a memo (members only, must be logged in to ciab.com to download) highlighting the scope of the exemptions, the dates for specific requirements and an analysis of the proposed rule.

While the final rule is generally identical to the substantive requirements of the last version of the proposed rule, one fundamental change regarding the scope of exemptions has been modified to provide that firms and their affiliates, with one of the following qualifications, are completely exempt from several of the more onerous and prescriptive components of the rule:

  1. Fewer than 10 employees (including independent contractors) located in New York;

OR

  1. Less than $5,000,000 in gross annual revenue in each of the prior three fiscal years from New York business operations;

OR

  1. Less than $10,000,000 in year-end total assets

As a result, brokerage and insurance companies that meet one of the above criteria will only have to comply with the first five requirements under the rule:

  1. A cybersecurity program based on the risk assessment of the covered entity
  2. A written cybersecurity policy approved by each entity’s senior officer or board of directors
  3. Periodic risk assessments to inform design of the cybersecurity program
  4. Policies and procedures applicable to third-party vendors
  5. Proper notices to the NYSDFS Superintendent within 72 hours of a “cybersecurity event”

Technically, the rule goes into effect on March 1, 2017, but covered entities generally will have until August 28, 2017 to transition into compliance with it. The rule also provides delayed compliance dates for many of the specific requirements.

For questions or concerns, please contact The Council’s John Fielding at john.fielding@ciab.com.

New York, New Reg

New York finalized its cybersecurity regulation, as announced by Governor Andrew Cuomo yesterday.

The rule requires brokers, insurance companies, banks and other entities regulated by the state’s Department of Financial Services to establish cybersecurity programs to protect consumers’ sensitive data.  The final rule takes effect on March 1, 2017, the same effective date provided in the proposed draft of the rule issued last December.

The regulation establishes controls to ensure financial firms maintain a “robust” cybersecurity programs to protect consumers’ personal data.  It also establishes minimum standards for technology systems related to controlling access, encryption, penetration testing, and also creates standards to address breaches.

The Department released two drafts of the proposal for comment last year, and The Council submitted comments on both versions.  The Council’s outside counsel, Steptoe & Johnson, is currently reviewing the final rule and will have a full analysis in the coming days.

Click here to read the final rules.

The Wild West of Cybersecurity Regs

This week the White House unexpectedly canceled the signing of a cybersecurity executive order after meeting with White House cyber staffers, top government cyber officials and a handful of people from outside the government.

The executive order was supposed to be issued on January 31 and include a directive for federal agencies to adopt the NIST cybersecurity framework (which have been repeatedly breached in recent years) but following the meeting, the executive order was scrapped without explanation.

Separate but related, legal experts are predicting that with President Trump’s recent actions to relax the regulatory environment, states may take it into their own hands to implement more aggressive data security laws. As a result, we may see mores states seek to implement stricter state-wide legislation similar to New York’s recent proposed cybersecurity rule.

The Council views this as unwelcome as the existing maze of state data security laws and regulations already makes it a daunting task to keep your business and your clients in compliance. It is why The Council is a proponent of federal breach notification legislation that could preempt state and local laws.

We are certainly hopeful the new Congress will address this but, in the meantime, we encourage Council members to tap into our continuously updated library of state-by-state data security laws and regulations designed to take the confusion out of the compliance equation. For login help, please email robert.boyce@ciab.com

Request for Comments:

Lastly, NIST requests comments on a proposed update to the Framework for Improving Critical Infrastructure Cybersecurity (“the Framework”). This Request for Comments (RFC) is meant to facilitate coordination with, “private sector personnel and entities, critical infrastructure owners and operators, and other relevant industry organizations.”

Comments are due April 10, 2017, so please email robert.boyce@ciab.com with input by April 1.

The proposed update and comments to the Framework can be reviewed at http://www.nist.gov/cyberframework.

The New York Cybersecurity Rule

In December, the New York State Department of Financial Services (NYSDFS) issued a revised version of its proposed cybersecurity rule. It requires financial services firms that are licensed, or are otherwise granted operating privileges by the NYSDFS (Covered Entities), including the insurance industry, to establish and maintain a cybersecurity program, showcasing the State’s keen focus on cybercrime and security.

The changes reflected in the revised proposal resulted, in part, from the substantial public comments submitted in response to the original proposal issued on September 13, 2016. The Council was among those that submitted feedback.

Although the revised proposal is more closely aligned with a risk-or processed-based approach to cybersecurity, The Council still has concerns. First, the revised proposal retains an extremely short notification window (72 hours) and continues to impose requirements relating to third-party service providers that could be difficult and costly for businesses to implement. Furthermore, the proposal still does not include a HIPAA exemption for businesses that are in compliance with that statute and has not limited the definition of covered entities to exclude captive insurers.

The NYSDFS is accepting comments on the revised proposal only until January 27, 2017. Given the short window, we ask that you provide input and comments to us by January 19. If you plan to submit your own letters, please shoot a note to John Fielding at john.fielding@ciab.com with this information.

This revised proposal will delay both the effective date and the original 180 day transitional period for businesses. Under the revised proposal, the rule will go into effect on March 1, 2017.

The Geneva Association: Insuring Cyber Risk

What is insurable risk? That’s the key question being explored by international insurance industry think tank, Geneva Association, is a new report on the cyber insurance market.

There are many challenges to insuring cyber risk, the report states, “especially due to a lack of data and modelling approaches, the risk of change, and incalculable accumulation risks.” Additional challenges to insuring cyber risk include information asymmetry, resulting in adverse selection and moral hazards, and coverage limits in the market.

According to a recent CyberScoop article, a lack of actuarial data could have profound consequences after Fitch’s recent warning that it will downgrade credit ratings of “insurance companies that write standalone cyber policies too aggressively, because of the high uncertainty this line of business contains.”

Fortunately, the future is looking bright for the cyber market in the insurance industry and governments have many opportunities to promote it. As the market grows, risk pools become larger and more data will become available. Additionally, increased capacity and more competition will inevitably push prices down and result in more uniform terminology, standardization and pre-coverage risk assessment. The report also recommended that industry and governments collaborate on public-private partnerships when collecting data for cyber incident repositories. Lastly, many experts believe that pre-coverage screening and reporting requirements could alleviate adverse selection effects.

Deputy Secretary General of the Geneva Association and editor of the report, Dr. Fabian Sommerrock commented, “We are very pleased to publish this report which provides an insight into the current level of understanding about cyber risk and cyber risk insurance …This report has been provided to increase understanding of the risk and support the insurance industry’s role in mitigating and managing it for the benefit of individuals, institutions and governments alike.”

NAIC Model Law Delayed For Consideration Until 2017

The NAIC’s cybersecurity task force released its third and final draft of the NAIC cybersecurity model law in August, which was hoped to be considered for approval. However, “stakeholder feedback made it clear that additional work needed to be done to reach consensus on the draft,” according to Rhode Island Superintendent of Banking and Insurance Elizabeth Dwyer, a member of the task force.

Trump’s Homeland Pick Highlights Doubts on DHS Cyber Role

With General John Kelly appointed as Secretary of Homeland Security, Trump’s administration promises to put border security as its top priority. This means that other priorities, especially cybersecurity, could take a back seat at DHS. Current Secretary Jeh Johnson warns the new administration against losing focus on cybersecurity and calls for it to continue as “a top priority on a bipartisan basis.”

Cyence, an economic risk modeling platform for cyber risk, debuted its product last September and since then, has received much attention in the insurance industry. Carrier Management Editor Mark Hollmer had the opportunity to sit down with Cyence Co-Founder and CEO Arvind Parthasarathi to discuss how their cyber analytics platform will allow the insurance industry to look at cyber risk in an entirely new way – in “dollars and probabilities.”

Report: Cyber Insurance Market to Top $14 Billion by 2022

With cybercrime only increasing and traditional network security premiums becoming obsolete, the cyber insurance market is a huge, untapped opportunity for insurers and reinsurers. Mandatory legislation on cybersecurity in several U.S. states has led to more mature and better cyber liability insurance policies. PWC forecasts that annual gross of premiums will increase from $2.5 billion in 2015 to $14 billion by 2022.

Panel Urges Better Cybersecurity to President-Elect Trump

The Presidential Commission on Enhancing National Cybersecurity issued a 100-page report with 16 urgent recommendations on ways that President-elect Trump can improve the nation’s cybersecurity, particularly in his first 100 days of office. Main points include creating a cyber nutritional label to help consumers shop wisely and establishing an international cybersecurity ambassador.