Last week, the New York State Department of Financial Services (NYSDFS) published the final version of its cybersecurity rule, which takes effect on March 1, 2017. The Council’s outside counsel, Steptoe & Johnson, has provided a memo (members only, must be logged in to ciab.com to download) highlighting the scope of the exemptions, the dates for specific requirements and an analysis of the proposed rule.
While the final rule is generally identical to the substantive requirements of the last version of the proposed rule, one fundamental change regarding the scope of exemptions has been modified to provide that firms and their affiliates, with one of the following qualifications, are completely exempt from several of the more onerous and prescriptive components of the rule:
- Fewer than 10 employees (including independent contractors) located in New York;
- Less than $5,000,000 in gross annual revenue in each of the prior three fiscal years from New York business operations;
- Less than $10,000,000 in year-end total assets
As a result, brokerage and insurance companies that meet one of the above criteria will only have to comply with the first five requirements under the rule:
- A cybersecurity program based on the risk assessment of the covered entity
- A written cybersecurity policy approved by each entity’s senior officer or board of directors
- Periodic risk assessments to inform design of the cybersecurity program
- Policies and procedures applicable to third-party vendors
- Proper notices to the NYSDFS Superintendent within 72 hours of a “cybersecurity event”
Technically, the rule goes into effect on March 1, 2017, but covered entities generally will have until August 28, 2017 to transition into compliance with it. The rule also provides delayed compliance dates for many of the specific requirements.
For questions or concerns, please contact The Council’s John Fielding at firstname.lastname@example.org.
New York finalized its cybersecurity regulation, as announced by Governor Andrew Cuomo yesterday.
The rule requires brokers, insurance companies, banks and other entities regulated by the state’s Department of Financial Services to establish cybersecurity programs to protect consumers’ sensitive data. The final rule takes effect on March 1, 2017, the same effective date provided in the proposed draft of the rule issued last December.
The regulation establishes controls to ensure financial firms maintain a “robust” cybersecurity programs to protect consumers’ personal data. It also establishes minimum standards for technology systems related to controlling access, encryption, penetration testing, and also creates standards to address breaches.
The Department released two drafts of the proposal for comment last year, and The Council submitted comments on both versions. The Council’s outside counsel, Steptoe & Johnson, is currently reviewing the final rule and will have a full analysis in the coming days.
Click here to read the final rules.
This week the White House unexpectedly canceled the signing of a cybersecurity executive order after meeting with White House cyber staffers, top government cyber officials and a handful of people from outside the government.
The executive order was supposed to be issued on January 31 and include a directive for federal agencies to adopt the NIST cybersecurity framework (which have been repeatedly breached in recent years) but following the meeting, the executive order was scrapped without explanation.
Separate but related, legal experts are predicting that with President Trump’s recent actions to relax the regulatory environment, states may take it into their own hands to implement more aggressive data security laws. As a result, we may see mores states seek to implement stricter state-wide legislation similar to New York’s recent proposed cybersecurity rule.
The Council views this as unwelcome as the existing maze of state data security laws and regulations already makes it a daunting task to keep your business and your clients in compliance. It is why The Council is a proponent of federal breach notification legislation that could preempt state and local laws.
We are certainly hopeful the new Congress will address this but, in the meantime, we encourage Council members to tap into our continuously updated library of state-by-state data security laws and regulations designed to take the confusion out of the compliance equation. For login help, please email email@example.com
Request for Comments:
Lastly, NIST requests comments on a proposed update to the Framework for Improving Critical Infrastructure Cybersecurity (“the Framework”). This Request for Comments (RFC) is meant to facilitate coordination with, “private sector personnel and entities, critical infrastructure owners and operators, and other relevant industry organizations.”
Comments are due April 10, 2017, so please email firstname.lastname@example.org with input by April 1.
The proposed update and comments to the Framework can be reviewed at http://www.nist.gov/cyberframework.
In December, the New York State Department of Financial Services (NYSDFS) issued a revised version of its proposed cybersecurity rule. It requires financial services firms that are licensed, or are otherwise granted operating privileges by the NYSDFS (Covered Entities), including the insurance industry, to establish and maintain a cybersecurity program, showcasing the State’s keen focus on cybercrime and security.
The changes reflected in the revised proposal resulted, in part, from the substantial public comments submitted in response to the original proposal issued on September 13, 2016. The Council was among those that submitted feedback.
Although the revised proposal is more closely aligned with a risk-or processed-based approach to cybersecurity, The Council still has concerns. First, the revised proposal retains an extremely short notification window (72 hours) and continues to impose requirements relating to third-party service providers that could be difficult and costly for businesses to implement. Furthermore, the proposal still does not include a HIPAA exemption for businesses that are in compliance with that statute and has not limited the definition of covered entities to exclude captive insurers.
The NYSDFS is accepting comments on the revised proposal only until January 27, 2017. Given the short window, we ask that you provide input and comments to us by January 19. If you plan to submit your own letters, please shoot a note to John Fielding at email@example.com with this information.
This revised proposal will delay both the effective date and the original 180 day transitional period for businesses. Under the revised proposal, the rule will go into effect on March 1, 2017.
After more than seven months, Commission on Enhancing National Cybersecurity has finalized its report on the Cybersecurity National Action Plan (CNAP) and is submitting it to President Obama. The Commission, which consists of “top strategic, business and technical thinkers from outside of Government,” according to a recent Politico article, was established as part of Obama’s effort to enhance the nation’s cybersecurity posture. The report is expected to be available to the public soon.
Members of the Commission explained the report focuses largely on short-term recommendations, with “market-based solutions rather than government regulations,” such as incentives and voluntary standards. The objective of CNAP is to enhance the nation’s long-term cybersecurity structure in both the public and private spheres. However, Kiersten Todt, executive director of the Commission explained that “the urgency of these issues is now. So what we hope is that many of these recommendations will be able to be executed.”
It is unclear how President-elect Donald Trump will handle the executive order and the Commission’s recommendations in the report, but the Commission has stated that a nonpartisan approach has been a key focus. Experts on the matter said that the nonpartisan nature of the executive order could give Trump a “rare opportunity to build on the work of President Obama.” Stanford University cyber researcher and Commission member, Herb Lin, also explained that “the political environment is very different now than it was before the election,” and that the Commission was “very scrupulous about not compromising the nonpartisan nature of the report.” The Commission consists of both Republican and Democratic representatives.
Trump has emphasized the need for the incoming administration to take a strong stance on hackers while simultaneously building out offensive cyber capabilities. The President-elect has vowed to create a “cyber review team” and change the nation’s stance on cybersecurity in the first 100 days of office, meaning he may choose to start fresh with his own agenda instead of building on that of Obama’s.
It recently occurred to us that most of our summer interns were not born until after the founding of the European Union. While they did not experience the inception, they can now say they were in DC during the summer of Brexit, when Great Britain voted to leave the EU.
As the world is still reeling in light of this decision and trying to figure out what the implications will be, we are keeping a close eye on the London Market. Our priority is determining what Brexit means for the insurance industry, for our member firms who are based in the UK and for those who do business internationally.
The UK has many decisions to make in the next two years. Of the laws and regulations that are currently uniform across the EU – what stays and what changes?
One example is data privacy and laws that govern how companies manage their data. Last year the EU created the General Data Protection Regulation (GDPR), which is expected to be the common standard for data privacy laws across the EU. Will the UK adopt the GDPR standard, or create its own standard? The Information Commissioner’s Office has said the UK will continue to use the GDPR, or an equivalent system, but time will tell. Similar questions have been raised about insurer and bank solvency regulations that are created by the International Association of Insurance Supervisors (IAIS) and the Financial Stability Board (FSB).
Brexit will create challenges but with those could also come opportunities for the US to collaborate with the UK to create more complimentary standards.
As the people in Britain celebrate or bemoan their new independence, we hope everyone here in the United States has a very safe and enjoyable Independence Day weekend!
On Tuesday and Wednesday of this week, we attended the National Association of Insurance Commissioners (NAIC) Cybersecurity Task Force Interim Meeting in Washington, D.C. The meeting focused on the current draft of the Insurance Data Security Model Law, providing stakeholders an opportunity to comment before it moves to the next stage. This model law, which is intended to “establish the exclusive standards for data security and investigation, and notification of a breach of data security applicable to licensees,” was first released for public comment in early March. While much of the conversation over the two days was focused on minor details regarding definitions, risk management requirements, and data breach notification requirements, the overall consensus was that the in some areas, the law is too broad, too prescriptive, or simply not possible to follow.
One of the main areas of concern expressed during the meeting was the fear that, if enacted, this NAIC model would simply add another layer of compliance on the industry. There are currently 47 different state data breach notification laws across the country, and many states have data security requirements in place, as well. Moreover, there is talk of federal action on the issue, as well. The NAIC’s intent is for the model to preempt other relevant state laws, but there is no guarantee that will happen – models rarely are enacted word-for-word, and this is a “hot” issue, with a great deal of interest from state attorneys general and others. As for The Council, the broad concern is that an insurance specific approach, while appealing in theory, is not possible because this is an issue that crosses sectors. We want to avoid multiple and duplicate requirements among the states. Nonetheless, the NAIC process appears to be going relatively smoothly, and the timeline is fast, especially for the NAIC. Comments on the current model law draft are due by next Friday, after which another draft will be released for review and comment. While there is a lot more to come, the NAIC appears to be pushing hard to get the model prepared for adoption by the NAIC Cybersecurity Task Force’s August meeting in San Diego in August.
In a recent PropertyCasualty360 article, Timothy Zeilman, vice president of Hartford Steam Boiler, a subsidiary of Munich Re, stresses the need for the insurance industry to underwrite cyber policies focused on middle-market companies, which are attractive targets for cybercriminals. Middle-market organizations’ networks, for example, are often left unprotected as executives fail to put enough emphasis on cybersecurity or lack the resources that larger organizations have to build and maintain cyber defenses. Mid-size companies can also be seen as a “potential backdoor to access the networks of larger clients.” While mid-size organizations store large amounts of personal information and business data, they often do not have the resources to be able to afford the most comprehensive, expensive cyber policies, or they underestimate the extent of their risk. As Zeilman explains, “medium sized companies, meanwhile, are squeezed between expensive cyber policies designed for big organizations and low-cost insurance packaged for small businesses.” As such, many middle-market organizations settle for policies that are more affordable, but provide inadequate coverage. Zeilman cautions that there is a gap in the market for a very important segment of customers and encourages insurers and brokers to fill that gap.
The House Homeland Security Committee’s Cybersecurity, Infrastructure Protection, and Security Technologies Subcommittee met on Tuesday to discuss the role insurance can play in cyber risk management. The Chairman of the subcommittee, Rep. John Ratcliffe (R-TX), explained that while the cyber insurance market is in its infancy, the potential is vast, and shopping for and purchasing cyber insurance can help firms evaluate their cyber risks. The official statements from the witnesses can be found here.
Witnesses discussed the growth of the cyber insurance market and what state insurance commissioners, the private sector and the federal government are doing to encourage more cyber risk management. Chairman Ratcliffe emphasized, and other Members agreed, that legislators should facilitate, but not mandate, private sector solutions and the maturation of the cyber insurance market. Tom Finan, Chief Strategy Officer at Ark Network Security Solutions and former Senior Cybersecurity Strategist and Counsel at DHS, said that cyber insurance is helping facilitate discussions about cybersecurity among the C-suite and CISOs, because executives understand the value of insurance even if they don’t fully grasp the complexity and severity of cyber risk. All Members of the committee and witnesses agreed that the cyber insurance market must be allowed to grow and mature at its own pace, but that the potential for cyber insurance to encourage greater cyber risk management and resilience is great.
Last week was a busy week on the cyber front. We saw Apple and the FBI square off during the House Judiciary Committee’s Encryption Tightrope: Balancing American’s Security and Privacy while across the country in San Francisco, 30,000-40,000 experts in cybersecurity gathered together for the world’s largest cybersecurity conference. As James Comey, director of the FBI, and Bruce Sewell, SVP and general counsel for Apple, and others debated in Washington, the encryption debate on privacy vs. security was just as heated thousands of miles away in California.
For most cybersecurity experts, encryption is a key development for keeping our nation safe. “There is no technology more important than encryption,” said Microsoft President and Chief Legal Officer, Brad Smith at the conference. “That is why we need to stand up, be thoughtful and be vocal […] The path to hell starts at the back door, and we need to make sure that encryption technology remains strong.” The fear that cybercriminals could access and use this backdoor for catastrophic purposes is certainly a valid concern. Additionally, privacy advocates have expressed that forcing Apple to create this iOS software could ignite a dangerous precedent in future investigations, encroaching on U.S. citizen’s privacy.
As for the government, creating this software to bypass iPhone’s key security features could potentially assist the San Bernardino investigation and provide invaluable information for the war against terrorism. In the House Judiciary Committee hearing last week, Comey attempted to convince the committee that if created, the government will be careful to not take advantage of this decision. “We are not asking to expand the government’s surveillance authority,” said Comey, “but rather we are asking to ensure that we can continue to obtain electronic information and evidence pursuant to the legal authority that Congress has provided to us to keep America safe.” Surely, the final decision will help establish a precedent on if, what and how much the government can access.