Joshua A Mooney

September 13, 2017 | FC&S Insurance

Cyberregulation and the meaning of reasonable cybersecurity measures are changing rapidly. Insurance companies are in the red zone for new regulatory schemes…

By Joshua A. Mooney and Richard Borden

8 minute read

August 29, 2017 | The Legal Intelligencer

Cyberregulation and the meaning of reasonable cybersecurity measures are changing rapidly. Insurance companies are in the red zone for new regulatory schemes and heightening expectations of duties of care that are well beyond the responsibility of a company's CIO. In January, the New York State Department of Financial Services (NYDFS) promulgated 23 NYCRR 500, a first-of-its-kind cyberregulation that requires companies to conduct assessments of their information systems and affirmatively build cybersecurity policies and programs based on those assessments. This includes creating oversight committees of senior officers, reliable chains of communication, and internal reports to educate appropriate decision-makers. The regulation also requires companies to make determinations as to the materiality of risks and events that may implicate other reporting obligations, such as SEC reporting requirements of public entities. The approach outlined in the NYDFS regulation is catching on. Recent NAIC Insurance Data Security Model Law drafts (drafts four and five) are based on the regulation and incorporate many of the same requirements. So is pending legislation in other states.

By Joshua A. Mooney and Richard Borden

15 minute read