New York’s New Reg, Explained

Last week, the New York State Department of Financial Services (NYSDFS) published the final version of its cybersecurity rule, which takes effect on March 1, 2017. The Council’s outside counsel, Steptoe & Johnson, has provided a memo (members only, must be logged in to ciab.com to download) highlighting the scope of the exemptions, the dates for specific requirements and an analysis of the proposed rule.

While the final rule is generally identical to the substantive requirements of the last version of the proposed rule, one fundamental change regarding the scope of exemptions has been modified to provide that firms and their affiliates, with one of the following qualifications, are completely exempt from several of the more onerous and prescriptive components of the rule:

  1. Fewer than 10 employees (including independent contractors) located in New York;

OR

  1. Less than $5,000,000 in gross annual revenue in each of the prior three fiscal years from New York business operations;

OR

  1. Less than $10,000,000 in year-end total assets

As a result, brokerage and insurance companies that meet one of the above criteria will only have to comply with the first five requirements under the rule:

  1. A cybersecurity program based on the risk assessment of the covered entity
  2. A written cybersecurity policy approved by each entity’s senior officer or board of directors
  3. Periodic risk assessments to inform design of the cybersecurity program
  4. Policies and procedures applicable to third-party vendors
  5. Proper notices to the NYSDFS Superintendent within 72 hours of a “cybersecurity event”

Technically, the rule goes into effect on March 1, 2017, but covered entities generally will have until August 28, 2017 to transition into compliance with it. The rule also provides delayed compliance dates for many of the specific requirements.

For questions or concerns, please contact The Council’s John Fielding at john.fielding@ciab.com.

New York, New Reg

New York finalized its cybersecurity regulation, as announced by Governor Andrew Cuomo yesterday.

The rule requires brokers, insurance companies, banks and other entities regulated by the state’s Department of Financial Services to establish cybersecurity programs to protect consumers’ sensitive data.  The final rule takes effect on March 1, 2017, the same effective date provided in the proposed draft of the rule issued last December.

The regulation establishes controls to ensure financial firms maintain a “robust” cybersecurity programs to protect consumers’ personal data.  It also establishes minimum standards for technology systems related to controlling access, encryption, penetration testing, and also creates standards to address breaches.

The Department released two drafts of the proposal for comment last year, and The Council submitted comments on both versions.  The Council’s outside counsel, Steptoe & Johnson, is currently reviewing the final rule and will have a full analysis in the coming days.

Click here to read the final rules.

The Wild West of Cybersecurity Regs

This week the White House unexpectedly canceled the signing of a cybersecurity executive order after meeting with White House cyber staffers, top government cyber officials and a handful of people from outside the government.

The executive order was supposed to be issued on January 31 and include a directive for federal agencies to adopt the NIST cybersecurity framework (which have been repeatedly breached in recent years) but following the meeting, the executive order was scrapped without explanation.

Separate but related, legal experts are predicting that with President Trump’s recent actions to relax the regulatory environment, states may take it into their own hands to implement more aggressive data security laws. As a result, we may see mores states seek to implement stricter state-wide legislation similar to New York’s recent proposed cybersecurity rule.

The Council views this as unwelcome as the existing maze of state data security laws and regulations already makes it a daunting task to keep your business and your clients in compliance. It is why The Council is a proponent of federal breach notification legislation that could preempt state and local laws.

We are certainly hopeful the new Congress will address this but, in the meantime, we encourage Council members to tap into our continuously updated library of state-by-state data security laws and regulations designed to take the confusion out of the compliance equation. For login help, please email robert.boyce@ciab.com

Request for Comments:

Lastly, NIST requests comments on a proposed update to the Framework for Improving Critical Infrastructure Cybersecurity (“the Framework”). This Request for Comments (RFC) is meant to facilitate coordination with, “private sector personnel and entities, critical infrastructure owners and operators, and other relevant industry organizations.”

Comments are due April 10, 2017, so please email robert.boyce@ciab.com with input by April 1.

The proposed update and comments to the Framework can be reviewed at http://www.nist.gov/cyberframework.

The Geneva Association: Insuring Cyber Risk

What is insurable risk? That’s the key question being explored by international insurance industry think tank, Geneva Association, is a new report on the cyber insurance market.

There are many challenges to insuring cyber risk, the report states, “especially due to a lack of data and modelling approaches, the risk of change, and incalculable accumulation risks.” Additional challenges to insuring cyber risk include information asymmetry, resulting in adverse selection and moral hazards, and coverage limits in the market.

According to a recent CyberScoop article, a lack of actuarial data could have profound consequences after Fitch’s recent warning that it will downgrade credit ratings of “insurance companies that write standalone cyber policies too aggressively, because of the high uncertainty this line of business contains.”

Fortunately, the future is looking bright for the cyber market in the insurance industry and governments have many opportunities to promote it. As the market grows, risk pools become larger and more data will become available. Additionally, increased capacity and more competition will inevitably push prices down and result in more uniform terminology, standardization and pre-coverage risk assessment. The report also recommended that industry and governments collaborate on public-private partnerships when collecting data for cyber incident repositories. Lastly, many experts believe that pre-coverage screening and reporting requirements could alleviate adverse selection effects.

Deputy Secretary General of the Geneva Association and editor of the report, Dr. Fabian Sommerrock commented, “We are very pleased to publish this report which provides an insight into the current level of understanding about cyber risk and cyber risk insurance …This report has been provided to increase understanding of the risk and support the insurance industry’s role in mitigating and managing it for the benefit of individuals, institutions and governments alike.”

All Eyes on National Cybersecurity Report

After more than seven months, Commission on Enhancing National Cybersecurity has finalized its report on the Cybersecurity National Action Plan (CNAP) and is submitting it to President Obama. The Commission, which consists of “top strategic, business and technical thinkers from outside of Government,” according to a recent Politico article, was established as part of Obama’s effort to enhance the nation’s cybersecurity posture. The report is expected to be available to the public soon.

Members of the Commission explained the report focuses largely on short-term recommendations, with “market-based solutions rather than government regulations,” such as incentives and voluntary standards. The objective of CNAP is to enhance the nation’s long-term cybersecurity structure in both the public and private spheres. However, Kiersten Todt, executive director of the Commission explained that “the urgency of these issues is now. So what we hope is that many of these recommendations will be able to be executed.”

It is unclear how President-elect Donald Trump will handle the executive order and the Commission’s recommendations in the report, but the Commission has stated that a nonpartisan approach has been a key focus. Experts on the matter said that the nonpartisan nature of the executive order could give Trump a “rare opportunity to build on the work of President Obama.” Stanford University cyber researcher and Commission member, Herb Lin, also explained that “the political environment is very different now than it was before the election,” and that the Commission was “very scrupulous about not compromising the nonpartisan nature of the report.” The Commission consists of both Republican and Democratic representatives.

Trump has emphasized the need for the incoming administration to take a strong stance on hackers while simultaneously building out offensive cyber capabilities. The President-elect has vowed to create a “cyber review team” and change the nation’s stance on cybersecurity in the first 100 days of office, meaning he may choose to start fresh with his own agenda instead of building on that of Obama’s.

Cybersecurity in a Trump Administration

Inside the beltway and around the nation this week there has been zero escape from prognostications on what a Trump administration means for every issue imaginable. So, we’ll pile on…what about cyber? Well, we, at The Council, expect cybersecurity to be a significant issue. That statement seems obvious but the Republican platform actually includes a section advocating for “a free market for cyber insurance and makes clear that users have a self-defense right to deal with hackers as they see fit.” While the latter part has many nervous, we could see cybersecurity (and insurance) garner more oxygen than expected in the first 100 days (especially given the highly publicized hackings ahead of the election). On the surface, the President-elect’s cybersecurity stance doesn’t seem to vary much from President Obama’s policies. However, his pro-national security and law enforcement approach to cybersecurity is different and Trump will have to delicately balance between business interests and national security.

As we look to our parochial areas of interest, we are well positioned to effectively represent Council members as things heat up on the hill in 2017. Sen. John Thune is a major cyber player as chairman of the Senate Commerce Committee and we look forward to continuing to work with him on issues stemming from critical infrastructure cybersecurity. The Council supports a single standard for breach notification, and we believe good legislative opportunities will develop there. Lots to unfold so stay tuned. We will skip next week because of the holiday but will be back after. On behalf of The Council, we wish everyone a wonderful Thanksgiving.

Obama Cyber Commission Sets Final Public Meeting in Preparing Advice for President-Elect Trump

President Obama’s Commission on Enhancing National Cybersecurity will hold its final public meeting this month, which will prepare policy recommendations for the transition to the new Trump administration.  President Obama created the Commission to improve the nation’s cybersecurity posture with both short and long-term strategies in mind, including an industry-government partnership on voluntary standards. The presidential group has also been working hard to finish the Cybersecurity National Action Plan (CNAP) which includes a government-coordinated response plan for significant cyber-attacks.

President Obama has been vocal about his pledge of a peaceful transition, something he credits the Bush administration with mastering in his first days in office. They “could have not been more professional or gracious” in assisting the Obama team during the transition.  While President-elect Trump has promised to undo many of Obama’s major policies, both the President and President-elect have stressed the need for better cybersecurity practices and more funding for the federal government regarding cyber. As a result, the White House hopes it can help “guide the incoming Trump administration on advancing cybersecurity polices that build on the progress of an industry-government partnership on voluntary standards, while going further to address emerging and evolving threats,” according to a recent Inside Cybersecurity article. The Commission on Enhancing National Cybersecurity will hold a call-in meeting on November 21 asking for public input and will address their progress on developing policy recommendations for the transition.

Is Cyber Insurance Modeling Missing Key Components?

While carriers are rushing to enter a burgeoning cyber insurance market, estimated to be worth more than $3.25 billion in gross written premium, cyber experts fear that insurers cannot adequately gauge cyber risk, ultimately leading to poorly written cyber policies. Chief Operating Officer at A.M. Best, Matthew Mosher  explains that this risk is so new and unpredictable that insurers cannot yet accurately model and rate the risk. “The insurance industry has taken a slow path to engage with cyber because they’re not sure of the risk and aren’t completely able to provide a quantitative perspective of it. Carriers are working with different modelling firms and viewing risk from an aggregation basis to limit their exposure, but they lag somewhat in getting some of the best information available from models,” said Mosher. Another concern is that carriers often do not consider the possibility of an aggregated attack or an organization getting hit multiple times. Additionally, an attack on a system such as Microsoft would pull millions of users together, something that is not considered when underwriting a policy.

To combat this issue, insurance companies are partnering with data firms such as Cyence to collect data and better evaluate cyber risk for underwriting purposes. If done properly, Mosher believes this would increase limits in the cyber insurance market and lead to a more “mature stage in cyber underwriting.”

Cyber Insurance Market Watch Survey Results

The Council is pleased to release the results of its third bi-annual Cyber Insurance Market Watch Survey. Eighty-eight (88) respondents from 66 unique firms participated in the survey and provided insights on all aspects of the cyber insurance market from take-up, to premiums and sophistication of their clients’ cybersecurity programs.

Survey results reveal that roughly 29 percent of respondents’ clients purchased some form of cyber liability and/or data breach coverage in the last six months. Of those clients that purchased cyber coverage, 40 percent chose to increase their coverage levels. Respondents also felt there was adequate capacity for most of their clients’ needs, citing difficulties for the largest clients; those in the most highly-targeted industries such as healthcare; and for clients who have already had a cyber claim.

“As our broker members are investing more in resources to educate themselves and their producers about cyber risk, they are passing this knowledge on to their clients who are making better, more informed decisions about their cyber exposure and cyber insurance needs,” said Ken A. Crerar, President/CEO of The Council. “This is exactly the role of the broker and we see a lot of growth potential in this market for our members.”

The Cloud is Less of a Threat to Cyber Insurers

Businesses large and small have been moving to cloud services due to the benefits it has to offer: savings, security, agility and scalability. In fact, a Harvard Business Review survey recently found that 85 percent of companies have increased their “reliance on the cloud” in the past year, according to a recent Property Casualty 360 article.

The great migration to the cloud can benefit the insurance industry as well. While the risks associated with the cloud are different and have been a concern for underwriters, cloud services offer greater security capabilities and a significant reduction in overall risk. A common fear, however, is that one event could trigger cyber-attacks on multiple organizations, ultimately leading to multiple claims and potential bankruptcy for an insurance company. If carefully managed and properly understood, the transition to the cloud could lead to better protected data and lower cyber insurance premiums.  If not, the interconnectedness of the cloud could create a risk aggregation parallel to the asbestos claims in the late 1900’s.

Nonetheless, cloud based services can offer risk reduction for insurers’ portfolios. The aggregation of risk is certainly a factor, but “security services have begun to use the cloud to collect and pool information from every server and workstation that runs their security software. The result is a real-time picture of the threat landscape across hundreds of thousands of systems,” the article explains. Additionally, cloud security can identify and identify and patch software vulnerabilities as quickly as they appear. They collect a massive amount of metadata and can stop a zero-day attack as soon as it surfaces. The consensus is that cloud based services offers a level of security that outweighs potential risk, both for companies and their insurers. While its reliability and the aggregation of risk remains a concern, cloud providers have become better secured and more resilient in comparison to traditional approaches to cybersecurity.