January 23, 2022

Volume XII, Number 23


January 21, 2022

Subscribe to Latest Legal News and Analysis

January 20, 2022

Subscribe to Latest Legal News and Analysis

New York Department of Financial Services (NYDFS) Letter: “Potential” Cybersecurity Regulations for Insurers

On November 9, 2015, the New York Department of Financial Services (NYDFS) issued a letter that describes what insurers can expect from the Department’s ongoing assessment of cybersecurity measures. The letter parallels concerns raised in NYDFS’s February 2015 report, which noted low levels of CEO attention to cybersecurity issues and high levels of information sharing with third-party service providers.

The letter lists eight areas where “potential regulations” would set specific requirements. Given the Department’s concern for the security of consumer information held by large insurance entities, it is unlikely that this letter is merely a general statement of areas the Department is considering regulating. More likely, the eight areas analyzed below preview regulatory provisions in the works.

Cybersecurity Policies and Procedures: The Department outlines an extensive 12-point list of subject areas they expect to be addressed by entities’ cybersecurity policies and procedures. These include:

(1) Information security
(2) Data governance and classification
(3) Access controls and identity management
(4) Business continuity and disaster recovery planning and resources
(5) Capacity and performance planning
(6) Systems operations and availability concerns
(7) Systems and network security
(8) Systems and application development and quality assurance
(9) Physical security and environmental controls
(10) Customer data privacy
(11) Vendor and third-party service provider management
(12) Incident response, including setting clearly defined roles and decision-making authority

Though large insurers already have many of these policies and procedures in place, this list becomes more onerous when read in conjunction with Section 5. Section 5 states that “[e]ach covered entity would be required to maintain and implement written procedures, guidelines, and standards reasonably designed to ensure the security of all applications utilized by the entity.” If this formulation is preserved in the final regulations issued by NYDFS, it would be insufficient for insurers to merely implement these policies and procedures. Rather, they would also have to meet a standard of reasonableness in that implementation. As discussed in Section 5, this may prove challenging.

Third-Party Service Provider Management: The Department goes into detail regarding third-party providers, suggesting that covered entities “maintain policies and procedures to ensure the security of sensitive data or systems that are accessible to, or held by, third party service providers.”

NYDFS proposes a contractual method for carrying out this suggestion — requiring insurers to include minimum preferred terms in third-party agreements. The Department then lays out six contractual terms meant to bolster information sharing including the use of multi-factor authentication, encryption, indemnification, and security auditing.

Multi-Factor Authentication: The Department will likely require covered entities to “implement multi-factor authentication for all access to internal systems and data.” Multi-factor authentication requires that there be two methods of verifying one’s identity before access to sensitive accounts or data is allowed.

Chief Information Security Officers: The Department will also require each covered entity “to designate a qualified employee to serve as its Chief Information Security Officer (CISO).” The CISO would “be required to submit to the Department an annual report, reviewed by the entity’s board, assessing the cybersecurity program and the cybersecurity risks to the entity.”

Application Security: The Department states, “[e]ach covered entity would be required to maintain and implement written procedures, guidelines, and standards reasonably designed to ensure the security of all applications utilized by the entity.” As noted above, if the standard enunciated above is formalized, it will apply a reasonableness standard to all 12 required policy and procedure topics outlined in Section 1.

Cybersecurity threats are constantly evolving. This means that what is “reasonable” in abating them is also fluid. Keeping up with this ever-changing standard will be a difficult task for any entity that holds large quantities of personal information.

Cybersecurity Personnel and Intelligence: The Department also notes that each covered entity “would be required to employ personnel adequate to manage the entity’s cybersecurity risks and perform the core cybersecurity functions of identify, protect, detect, respond and recover.” The costs of employing and training such personnel, or outsourcing these responsibilities to third parties, will be significant for any insurer that aspires to comply with the forthcoming regulations.

Audits: Not only does the Department contemplate annual “penetration testing” (controlled attacks on computer systems that identify security weaknesses) and quarterly “vulnerability assessments” (cataloguing and categorizing vulnerabilities in the system through risk analysis), but it also lays out the specifics of maintaining an “audit trail” system.

Notice of Cybersecurity Incidents: Finally, the Department lays out a standard for government notification in the event of a cybersecurity incident. If implemented, this standard would require covered entities to notify the Department of any “incident that has a reasonable likelihood of materially affecting the normal operation of the entity.”

Notification would be required in the case of “any cybersecurity incident: (1) that triggers certain other notice provisions under New York Law; (2) of which the entity’s board is notified; or (3) that involves the compromise of ‘nonpublic personal health information’ and ‘private information’ ... or any biometric data.”

In sum, the NYDFS letter suggests three major proactive measures for insurers in the coming months:

  • Policies and Procedures: Insurers should (i) put policies and procedures in place for all 12 subject areas listed in Section 1, and (ii) confirm that those policies and procedures are “reasonably designed to ensure the security of all applications utilized by the entity.”

  • CISO: Insurers should designate an employee as their CISO, and implement systems for his or her annual report to the Department and the entity’s board.

  • Update Third-Party Vendor Contracts: Insurers should update their third-party service provider contracts to include the six contractual terms referenced in Section 2. 

© 2022 Foley & Lardner LLPNational Law Review, Volume V, Number 327

About this Author

Kevin G. Fitzgerald, Foley Lardner, regulatory insurance lawyer, insurance insolvency attorney

Kevin G. Fitzgerald is a partner and insurance lawyer with Foley & Lardner LLP. His practice is concentrated in the fields of corporate and regulatory insurance law, insurance insolvency, premium taxation, privacy legislation, captive insurance matters, agent and agency licensing and reinsurance transactions. He is a member and former chair of the firm’s Insurance & Reinsurance Industry Team and is a member of the Finance & Financial Institutions; Transactional & Securities; and Privacy, Security & Information Management Practices, as well as the...

Thomas R. Hrdlick, Foley Lardner, Transactional Work Attorney, Reinsurance Runoff Management lawyer

Tom Hrdlick is a partner and insurance and reinsurance attorney with Foley & Lardner LLP. Mr. Hrdlick's practice is concentrated in the fields of corporate and regulatory insurance and reinsurance law, with a particular emphasis on transactional work within the insurance and reinsurance industries and reinsurance runoff management. He is co-chair of the firm's Insurance & Reinsurance Industry Team. Mr. Hrdlick is also a member of the firm's Health Care Industry Team due to his experience working with health insurers.  

J.J. Silverstein, Foley Lardner, Reinsurance Industry Lawyer, Milwaukee Attorney

J.J. Silverstein is an associate and business lawyer with Foley & Larder LLP and a member of the firm’s Insurance & Reinsurance Industry Team.

As a law student, Mr. Silverstein was a summer associate for Foley. Mr. Silverstein also served as a judicial intern to The Honorable Emmet G. Sullivan for the United States District Court for the District of Columbia.

Prior to becoming a law student, Mr. Silverstein worked with CitizensUK, a nonprofit organization in London, and was a Fulbright Fellow with the U.S....