Skip To The Main Content

Publications

Memos Go Back

New York Financial Services Regulator Revises Proposed Cybersecurity Regulations Affecting Insurers

01.31.17
(Article from Insurance Law Alert, January 2017)

For more information, please visit the Insurance Law Alert Resource Center.

In September 2016, the New York State Department of Financial Services proposed regulations that would require financial institutions – including insurers – to implement stringent measures to protect against data breaches and other cyberattacks.  The proposal mandated several specific requirements, including the appointment of a chief information security officer, an annual review process and detailed plans for dealing with data breaches.  Responding to a flood of criticism regarding the regulation’s stringency, the Department issued a revised proposed regulation last month.  See N.Y. Comp. Codes R. & Regs. tit. 23, §500.  The revised provision contains many of the same safeguards included in the original draft, but allows for increased flexibility in the implementation of the requirements.  In particular, the new proposal allows a financial institution to customize its cybersecurity program based on the particular risks inherent to its business.  However, the proposal still requires institutions to adhere to the enumerated protocols included in the regulation and does not allow companies to design controls based on their own risk comfort levels.  The revised proposal relaxes certain other requirements, including the following:  the required frequency of risk assessments was changed from “annually” to “periodically”;  encryption is not required to protect non-public data if it is “infeasible,” in which case, alternative methods of control may be used; and the 72-hour reporting requirement for security breaches is applicable only if the company is already otherwise obligated to report the breach (under other laws or regulations) and if the breach has “a reasonable likelihood of materially harming any material part of the normal operations” of the company.  The regulation is effective March 1, 2017, and covered entities will be required to submit a Certification of Compliance commencing February 15, 2018.