Cyberregulation and the meaning of reasonable cybersecurity measures are changing rapidly. Insurance companies are in the red zone for new regulatory schemes and heightening expectations of duties of care that are well beyond the responsibility of a company’s CIO. In January, the New York State Department of Financial Services (NYDFS) promulgated 23 NYCRR 500, a first-of-its-kind cyberregulation that requires companies to conduct assessments of their information systems and affirmatively build cybersecurity policies and programs based on those assessments. This includes creating oversight committees of senior officers, reliable chains of communication, and internal reports to educate appropriate decision-makers. The regulation also requires companies to make determinations as to the materiality of risks and events that may implicate other reporting obligations, such as SEC reporting requirements of public entities. The approach outlined in the NYDFS regulation is catching on. Recent NAIC Insurance Data Security Model Law drafts (drafts four and five) are based on the regulation and incorporate many of the same requirements. So is pending legislation in other states.
Simply put, the regulation and other legislation to come will require insurance companies, brokers, and soon their lawyers, to change their management and corporate culture toward cybersecurity or face certain liability. For those insurers that conduct business in New York and have not yet taken action, time is running out. Here are five things that every insurance carrier, its general counsel and its board of directors should know about these new cybersecurity regulations.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.
For questions call 1-877-256-2472 or contact us at [email protected]
