Industry Groups Encouraged by Latest Draft of New York Cybersecurity Rule
January 3, 2017 by Thomas Harman
ALBANY, N.Y. – Insurance industry groups voiced encouragement over the new update to cybersecurity regulation proposed by the New York Department of Financial Services.
The proposed regulation is expected to take effect March 1, 2017, and will require banks, insurance companies and other financial services institutions under DFS regulation to create and maintain a cybersecurity program to protect consumers and aid the financial services industry’s soundness. The latest proposal incorporated comments submitted after the initial language was issued in September (Best’s News Service, Sept. 20, 2016).
The plan requires regulated financial institutions to establish a cybersecurity program, adopt a written cybersecurity policy and designate a chief information security officer responsible for implementing, overseeing and enforcing the program. It also calls for periodic risk assessment of information systems; and for companies to design policies and procedures to ensure the security of information systems and nonpublic information accessible to, or held by, third parties.
The latest draft said covered entities will have 180 days from the effective date to meet requirements in the rule. The rule contains exceptions, such as allowing companies up to one year to hire a chief information security officer and to meet penetration testing requirements.
New York Insurance Superintendent Maria Vullo said the update would help assure financial institutions such as insurance companies are properly handling information and have protocols that would ensure the safety and privacy of personal information. “This updated proposal allows an appropriate period of time for regulated entities to review the rule before it becomes final and make certain that their systems can effectively and efficiently meet the risks associated with cyber threats,” she said in a statement.
The American Insurance Association said while the proposed regulation remains broad in scope, improvements have been made to provide financial institutions with more flexibility in creating cybersecurity programs that fit insurer risk profiles best. The AIA was especially pleased the DFS addressed AIA concerns on what the group viewed as the most restrictive and burdensome parts of the proposal as they related to encryption and audit trails. Extending the transition period is a positive development, allowing companies more time to comply with certain requirements in the regulation.
Alison Cooper, the AIA Northeast region vice president, said in a statement the changes mark a step in the right direction, and New York Insurance Association President Ellen Melchionni said in a statement her group is encouraged by significant modifications to the initial draft, saying it is clear the DFS considered the industry’s feedback into the latest changes.
Industry groups voiced concerns initially the initial draft was not risk-based. “DFS has indicated that they have incorporated a risk-based approach into the proposed regulation, which is a necessary first step to the regulation being more appropriate. NYIA is currently assessing whether or not this essential aspect has been fully integrated into the new version,” Melchionni’s statement said.
According to the latest draft, companies exempted from parts of the proposal include those with fewer than 10 employees, including any independent contractors; or less than $5 million in gross annual revenue in each of the past three fiscal years, or less than $10 million in year-end total assets, including assets of all affiliates.
(By Thomas Harman, Washington Bureau manager, BestWeek: Tom.Harman@ambest.com)
BN-NJ-12-30-2016 1116 ET #
