The insurance industry is well aware that in 2017 the New York Department of Financial Services (NYDFS) passed its landmark cybersecurity regulation for insurance companies and banks, which has now taken effect, and later that year, the National Association of Insurance Commissioners (NAIC) also adopted a model law on data security. However, many companies, who were not subject to the NYDFS because they were not licensed in New York, should be aware that they could soon be subject to cybersecurity regulations as more and more states enact their version of the NAIC model law. So far, South Carolina, Ohio, Michigan and Mississippi have adopted versions of the model law, and many other state legislatures are considering enactment of their own versions. And since the NAIC called on legislatures to adopt its model law within three years when it adopted the law in 2017, it is likely that many more states will enact similar laws next year. As more and more states adopt their own data security requirements for insurance entities, it becomes more urgent for companies to familiarize with the various requirements, and develop a compliance strategy as states enact their own cybersecurity laws. Failure to comply could lead to fines, penalties, and other enforcement actions, as well as expose an entity to reputational risk.

NYSDFS Cybersecurity Regulation

On Feb. 16, 2017, NYDFS promulgated a final regulation on Cybersecurity Requirements for Financial Services Companies. The rule, which took effect March 1, 2017, applies to insurance companies, banks, and other financial services companies regulated by NYDFS, and requires these entities to adhere to new standards to protect consumers from cyber threats.

NYDFS tried to keep the standards flexible so that companies can assess their risks and adopt a cybersecurity program that is appropriate to those risks. There are also some fixed standards, such as regular reporting requirements and a requirement that cyber personnel regularly attend cybersecurity update and training sessions.

• Annual Risk Assessment

A basic requirement of the regulation is the annual risk assessment. The risk assessment should be used to inform the entity’s cybersecurity written policies and procedures. These written guidelines must include: how identified risks will be evaluated; how the entity’s systems and controls will be evaluated for adequacy; and how risks will be either accepted or mitigated. The annual risk assessment is not intended to be a check-the-box type of exercise, but should instead be a meaningful review of the company’s cyber resiliency. If done right, it should help an entity understand its vulnerabilities and plan accordingly.

The annual risk assessment also illustrates some of the flexibility that was one of the NYDFS’s goals in that a company does not need to mitigate every single possible risk. Some risks can be accepted if they are deemed too remote to be considered reasonably likely to occur, or a company may choose to purchase cyber liability insurance rather than adopt additional safeguards if this is deemed more economically efficient. Whatever the entity decides to do, it must document its decision-making process, which documentation may be requested by the regulator.

• Cybersecurity Policy

Another key requirement is that companies must have a cybersecurity policy. This policy should be developed based on the entity’s risk assessment, and describe how a company will protect its data. The policy must be approved by the board of directors or a board committee, as appropriate. The cybersecurity regulation sets forth a number of specific items that the policy must cover, including software protections, physical safeguards and other cyber protocols such as training and breach response plans. The requirement that the board or a board committee approve the policy shows that this is not meant to be a simple document, but rather must be a detailed statement of an entity’s entire data security system. The decision-making process behind the development of the policy, and any subsequent amendments, should be well documented because, like the annual risk assessment, the cybersecurity policy can be reviewed by regulators and examiners.

• Third-Party Management

There are also specific requirements for third-party service providers. Notably, entities that use third-party providers are required to develop and implement written policies and procedures applicable to their vendors. The policies must include guidance for identifying risks posed by third-party service providers, minimum standards that must be adopted by contractors, guidance for selecting contractors, and guidance for the periodic evaluation of service providers. There are also requirements relating to contractual terms with third-party service providers, relating to encryption, breach notice in the event of a breach, and implementation of other safeguards to protect the entity’s information.

• Incident Response Plan

Although planning for cybersecurity breaches is implicit in the requirements that have been described thus far, there is a specific requirement for an Incident Response Plan (IRP). The IRP should describe the procedures personnel will follow when a security incident occurs, the roles and responsibility of different persons, including third-party service providers, and steps the organization will take to remediate or mitigate the harm caused. The IRP is part of the entity’s cybersecurity policy, so it must also  be reviewed and approved by the board.

• Breach Notification 

There is also a notice requirement to the Superintendent for certain breaches, although it is not a blanket requirement to report every breach. If the entity must report the breach to another government agency or supervisory body, such as FINRA or another insurance department, then notice must also be provided to the New York Superintendent. Other breaches must only be reported if there is a “reasonable likelihood of material harm” to the entity.

• CISO

The regulation further requires entities to appoint a chief information security officer, or CISO. The CISO can be employed by an affiliate or third-party service provider, as appropriate, and should be qualified to oversee implementation of the entity’s cybersecurity program. Some state regulators have requested background information on the CISO of their domestic carriers, and required biographical affidavits and fingerprints, but it is not yet a national standard that the CISO must always be vetted like other executive officers of an insurance company.

• Penetration Testing. 

Entities are also required to regularly conduct penetration testing and vulnerability assessments to determine what their potential weaknesses are. More sophisticated companies may employ continuous testing to constantly probe for vulnerabilities, but if a smaller entity cannot do this it must then conduct one-off testing at least once a year.

• Access Controls

Access privileges are also specifically called for by the regulation. This requires that entities restrict access to sensitive data to only those personnel that actually need to have access. All entities would be well advised to limit access privileges for their sensitive information regardless, but it will now be a specific requirement.

• Training

The regulation further sets forth some specific training requirements. Both IT personnel and other staff must receive regular cybersecurity training and updates. There are no specific standards for training, but it must be done periodically to keep abreast of developing threats and the proper use of their entity’s systems.

• Active Board Involvement

The regulation in a number of places requires that the board be involved with development of an entity’s cybersecurity plans, and must review and approve all formal documents. Additionally, because of the severity of the threat, board involvement is seen by regulators as critical to a company’s overall cybersecurity preparedness. Senior management will need to make sure their boards are well informed and conduct needed reviews of formal cybersecurity policy documents, and document all board approvals, concerns, and other issues that may arise.  Companies should also consider the interplay between the cybersecurity requirements and other relatively recent corporate governance filings, such as the Corporate Governance Annual Disclosure (CGAD) and Form F. Cybersecurity considerations will be part of these new filings, and companies should take steps to make sure the documents are consistent and staff are coordinating effectively. Entities should also take note that other regulators are actively monitoring the effect of the New York regulation with an eye on developing their own sets of requirements.

The NAIC Model Law

While NYDFS was developing its regulation, the National Association of Insurance Commissioners was busy at work on its own Insurance Data Security Model Law, which adopted by the NAIC in October 2017. The New York regulation had a significant impact on development of the NAIC model, which is in many ways similar to New York’s rule. There are, however, some important differences between the two sets of guidelines.

• Flexible Third-Party Management

The provisions of the NAIC model governing third parties are somewhat more flexible than New York’s requirements, and were a particular source of controversy in drafting the model. The original draft would have required insurers to only contract with entities who maintained robust information security programs, but these provisions were modified due to concerns that it would unduly burden smaller entities, such as small agencies and brokerages. Subsequent versions gradually pared down this requirement and moved toward a general requirement to exercise due diligence in contracting with third parties. Earlier versions also called for written policies and procedures governing selection and contracting with third parties, which would have been similar to New York’s requirement, but the cybersecurity working group ultimately did not take the New York approach for third parties.

• Many Similarities to the NYDFS Regulation

The incident response plan requirement was added to the fifth version of the NAIC model, and is almost identical to the provisions of the New York regulation. Another similarity to the New York regulation is the requirement to annually certify to the commissioner that the entity is in compliance with the law. The previous version had a more robust requirement to provide annual reports to the commissioner containing a summary of the insurer’s risk assessment, and identify areas for improvement, but this ultimately brought in line with New York’s standard. And, like the New York regulation, the NAIC model gives the commissioner the ability to inspect the insurer’s documentation of efforts to improve its incident response plan.

State Laws Following the NAIC Model Law Could Vary

Since each state will need to adopt its own version of the NAIC model, we can expect to see some significant variation between state requirements over the next several years. For instance, some states may adopt more stringent data breach notification requirements, or impose additional requirements as to third-party service provides, or make other modifications to the requirements described above. Companies will therefore need to address how best to approach compliance with potentially inconsistent requirements. While some think that, since the New York rule is already in effect, entities would be best advised to simply follow New York’s lead and use their standard as a sort of best practice, given that the New York rule is expected to be the most stringent set of requirements, that may not be the best practice for all companies. If an entity is not required to comply with New York law and the applicable state law or laws have lower requirements, it may not want to incur the burden and costs of complying with New York’s law. As more states adopt cybersecurity rules, to have a clear and efficient compliance strategy insurance companies must work to have a good understanding of the various applicable cybersecurity laws, and the costs and benefits of complying with such laws.  As more and more states enact new variations of cybersecurity laws over the next few years, it will undoubtedly become more challenging to find a clear compliance strategy, but companies with a clear understanding of the NYDFS Regulation and the NAIC Model will be more equipped in charting a compliance strategy appropriate for their operations.

Fred Karlinsky, a shareholder at Greenberg Traurig, is is co-chair of the firm’s insurance regulatory and transactions practice group. He represents the interests of insurers, reinsurers and a wide variety of other insurance-related entities on their regulatory, transactional, corporate and governmental affairs matters.

Richard J. Fidei, a shareholder with the firm, focuses his practice on national insurance regulatory and compliance matters. 

Julie McPeak, a shareholder with the firm in its Nashville office, focuses her practice on insurance law and insurance regulation issues. 

Jamey Zellner, an attorney with the firm in the Fort Lauderdale office, focuses his practice on government law and policy matters. He handles a wide range of insurance regulatory and corporate transactions.