September 20, 2019

September 19, 2019

Subscribe to Latest Legal News and Analysis

September 18, 2019

Subscribe to Latest Legal News and Analysis

September 17, 2019

Subscribe to Latest Legal News and Analysis

New York Department of Financial Services Proposes Cybersecurity Requirements for Financial Services Companies

On September 9, 2016, the New York Department of Financial Services (NYDFS) proposed a long-awaited regulation setting out cybersecurity requirements for financial services companies, including any company authorized to operate pursuant to a “license, registration, charter, certificate, permit, accreditation or similar authorization” under the insurance law.

The proposed regulation appears to be intended to apply very broadly, obviously. Non-U.S. insurers and reinsurers in particular will want to confirm if the proposed regulation applies – whether with respect to excess lines insurers, “trusteed” or “certified” reinsurers. We will report further to clients in this regard.

Background

Since 2013, the NYDFS conducted a series of surveys of its regulated entities regarding their cybersecurity programs, costs and future plans. Beginning in early 2015 the NYDFS began to include cybersecurity assessments when examining insurers and sent so-called “Section 308” letters to domestic insurers requiring extensive disclosure as to insurers’ cybersecurity programs, governance, personnel, practices and procedures. The proposed regulation generally follows the framework set out in prior communications from the NYDFS.

The Proposed Regulation

The requirements set forth in the proposed regulation include the following:

  • Establishment of a cybersecurity program, including the adoption of a written cybersecurity policy;

  • Establishment of written policies and procedures regarding application security and information systems and nonpublic information accessible to or held by third parties;

  • The designation of a Chief Information Security Officer (CISO);

  • Employment and training of cybersecurity personnel and training for all personnel;

  • Technical requirements, including multi-factor authentication and encryption of nonpublic information;

  • Oversight requirements including penetration testing, vulnerability assessments, risk assessments, and audit trail systems;

  • Establishment of a written incident response plan and notification to the superintendent in the event of a Cybersecurity Event; and

  • Annual certification by senior executives (or possibly by entire Boards of Directors) of compliance, with the first certification due to be filed on January 15, 2018.

The proposed regulation currently specifies an effective date of January 1, 2017 and entities would be given 180 days from that effective date to comply. 

Takeaways

The proposed NYDFS cybersecurity regulation presents a more comprehensive framework for cybersecurity than has been seen in any other U.S. jurisdiction.  Whether this proposed regulation adequately balances the operational realities of financial services companies with the need to reinforce a) cybersecurity efforts in a world of increasing cybersecurity risks and b) evolving Enterprise Risk Management standards remains to be seen. 

It also remains to be seen how this proposed regulation will impact, if at all, other cybersecurity initiatives such as the National Association of Insurance Commissioners’ proposed Insurance Data Security Model Law and how New York’s  “Cybersecurity Event” notification requirements will work with other states’ breach notification requirements.

The proposed regulation is subject to a 45-day notice and public comment period before its final issuance.  We anticipate that industry organizations and other interested parties will provide the NYDFS with comments.  We will review those comments with great interest and will report further as developments warrant.

©2019 Drinker Biddle & Reath LLP. All Rights Reserved

TRENDING LEGAL ANALYSIS


About this Author

Thomas M. Dawson, Insurance, Attorney, Drinker Biddle
Partner

Thomas M. Dawson* represents U.S. and non-U.S. insurers on regulatory, licensing and corporate matters. He is co-chair of the firm's Insurance Regulatory and Transactional Team within the Corporate and Securities Practice Group.

Tom advises industry participants on a wide variety of regulatory and transactional matters, including cybersecurity compliance, insurtech ventures and Holding Company Act filings. He has assisted clients form, acquire and invest in U.S. insurers, reinsurers and intermediaries. He counsels non-insurers...

212-248-3160
Yuliya Feldman, Drinker Biddle Law Firm, Insurance Attorney
Associate

Yuliya Feldman assists clients with a wide range of insurance regulatory and transactional matters. She also assists with general corporate matters.

While in law school, Yuliya worked for approximately two years as a law clerk in the Law Department of SCOR Reinsurance Company, where she worked on a variety of projects involving corporate governance matters, regulatory matters, and commercial matters. In law school, she was also involved with the International Law Society, where she served as Treasurer.

212-248-3172