Financial Services Chief Vullo Discusses NY's Role in National Cybersecurity Regs
The Department of Financial Services Superintendent Maria Vullo discusses the National Association of Insurance Commissioners' decision to adopt New York's cybersecurity regulations as its model law for adoption by its members, which include all 50 states' insurance commissioners.
November 15, 2017 at 04:07 PM
6 minute read
In March, New York's Department of Financial Services established a cybersecurity regulation for banks and insurance companies that was expected to have national and global impact. Months later, the National Association of Insurance Commissioners adopted a data security model law similar to New York's.
In late October, the NAIC, the standard-setting organization governed by chief insurance regulators from all 50 states, D.C. and five U.S. territories, adopted the Insurance Data Security Model Law, which includes provisions for investigating data security breaches.
“Considering the recent series of data breaches, cybersecurity is more important now than ever,” said Ted Nickel, NAIC president and Wisconsin insurance commissioner at the time, in a statement. “Regulators have a critical role to play in protecting consumers as the cyber landscape continues to evolve and this model law sets cybersecurity customs for insurers to help safeguard consumers.”
For New York, the cybersecurity regulations have already been in place for months. In late August, the 180-day grace period for the DFS cybersecurity regulation expired, creating a watershed moment for insurers and the financial institutions doing business in New York. Under DFS's groundbreaking regulation, entities the agency regulates would have to have state-approved plans to deter cyberattacks, and report any attacks within 72 hours of when they occur.
The New York Law Journal spoke with DFS Superintendent Maria Vullo about New York's cybersecurity regulation and what role it has played in the NAICs adoption of the model law. Questions and answers have been edited for clarity and brevity.
Q: What role, if any, did DFS play in the NAIC's adoption of the data security model law?
Vullo: It's not a coincidence that the NAIC came out with a model a few months ago and that that model is almost exactly the same language as our regulation. We were, and I was, instrumental in moving the NAIC in this direction. I've made a point of, since I arrived at this job, of really working through the NAIC and working with fellow commissioners in other states.
The NAIC had a task force on a model cybersecurity law for years that was going back-and-forth and had not led to anything close to being final. We finalized our cybersecurity regulation in February of 2017 and it became effective March 1. At the NAIC national meeting in April, I presented on what we had done in New York and urged that they consider adopting it. I maybe even said “mimicry is the best form of flattery. I have no problem with you plagiarizing.”
The person who had been the head of the task force at the NAIC had left, and so two new commissioners from South Carolina and Rhode Island ran the task force. My staff and I worked closely with them. The NAIC model is extremely close, and is pretty much verbatim in many many places. It even includes a footnote that says compliance with the New York reg is compliance with the law.
Q: Does the NAIC's model law differ from New York's regulation?
Vullo: There are no material differences. Because it is a model law and a statute, there are provisions in their law that I don't need but that some of the other commissioners need. For example, they have provisions giving commissioners the power to investigate the affairs of a licensee for cybersecurity. My regulation doesn't have that because I already have that ability. As the rule developed, the NAIC included it in its provisions because commissioners were concerned. They wanted to make sure that if a statute like this passed, that they had the authority from the legislature to enforce their investigatory authority.
My regulation is not just for the insurance industry, and that's an important distinction. I regulate insurance companies, as well ask banks and other financial services providers. The NAIC model law is only for insurance and my regulation covers all of the other regulated entities that I supervise.
Q: What prompted the NAIC to do this now?
Vullo: I think in the past, they had been going back-and-forth with drafts for several years. New York, me, we acted here. We went out with a proposed regulation, We had a significant comment period and incorporated good comments. We had lots of meetings. Lots of discussion with our regulated institutions and I finalized the regulation in February effective March 1. Sometimes it takes somebody to go out and do something for other people to say “OK, we can't wait any longer.” I guess you could say this was a catalyst that prompted it and then the new leadership of the NAIC work group and the cybersecurity issue in 2017 is so big. Some of our institutions and insurance companies wanted consistency and they worked with us, through the NAIC, to get consistency.
Q: What has the feedback from the industry to this regulation been?
Vullo: These are difficult issues and a new thing that they have to comply with. I believe that at the end of the process they were comfortable where we got because we listened to them. But at the same time, it is a requirement. It has to be followed. Cybersecurity is a big deal. We recognize it and we worked with the industry to understand how best to implement something like this with respect to their institution and we modeled the reg to be adaptable depending on all shapes and sizes of institutions.
Q: How does the cybersecurity rule in New York apply to medical records and insurance lawyers?
Vullo: Medical records would only apply when you're dealing with insurance companies. To the extent that an insurance company has medical records, which they probably do, then it applies to the company. Of course, [the Health Insurance Portability and Accountability Act] still applies and all of the protections of the federal statute apply. Nor does it conflict with Gramm-Leach-Bliley.
With respect to insurance lawyers, the regulation applies to nonpublic, personally identifiable information. It doesn't apply to everything. If there's a third-party vendor that a law firm sends information out to, the institution has to do its due diligence. That vendor has to have the programs and system in place to protect the data. In other words, the company that I regulate can't avoid the regs by outsourcing its operations and the nonpublic information that's covered to a third-party vendor without ensuring that that vendor has adequate protections that would comply with the regulations.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllLabaton’s Eric Belfi on Running Case Investigation, Analysis and Delaware Presence
Litigation Leaders: Quinn Emanuel's Michael Carlinsky on Training Associates to Think and Act Like Trial Lawyers
Innovation Award Individual Finalist: Charlie Hernandez, My Pocket Lawyer
1 minute readTrending Stories
- 1Decision of the Day: Administrative Court Finds Prevailing Wage Law Applies to Workers Who Cleaned NYC Subways During Pandemic
- 2Trailblazing Broward Judge Retires; Legacy Includes Bush v. Gore
- 3Federal Judge Named in Lawsuit Over Underage Drinking Party at His California Home
- 4'Almost an Arms Race': California Law Firms Scooped Up Lateral Talent by the Handful in 2024
- 5Pittsburgh Judge Rules Loan Company's Online Arbitration Agreement Unenforceable
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250