Aug 10, 2018
If you write business in N.Y.: Insurance department clarifies third-party service provider issue, cyber security regulation
Recently, PIA sent a joint letter to the New York Department of Financial Services as part of a coalition of producer groups. The letter asked the insurance department to clarify whether a producer would be considered a third-party service provider or an authorized user of a carrier (and vice versa) under the state’s cyber security regulation.
In response, the NYDFS updated its cyber security regulation FAQ, and stated: “A producer can be considered a Covered Entity, an Authorized User, and a Third Party Service Provider depending on the facts and the circumstances.”
According to the insurance department, a NYDFS-licensed independent agent who works with multiple insurance companies is a Covered Entity with his or her own obligation to establish and maintain a cyber security program designed to protect the confidentiality, integrity and availability of its Information Systems and Nonpublic Information. See 23 NYCRR 500.02 (23 NYCRR Part 500).
In addition, when the independent agent holds, or has access to, any Nonpublic Information or Information Systems maintained by an insurance company he or she works with (e.g., for quotations; issuing a policy; or any other data or system access), the independent agent will be a Third-Party Service Provider. This may only happen with respect that the insurance company; and the insurance company, as a Covered Entity, will be required under 23 NYCRR 500.11 to have written policies and procedures to ensure the security of its Information Systems and Nonpublic Information that are accessible to, or held by, the independent agent (including, but not limited to, risk-based policies and procedures for minimum cyber security practices; due diligence processes; periodic assessment; and access controls and encryption).
Further, an independent agent also will be an Authorized User if he or she participates in the business operations, and is authorized to use any Information Systems and data, of an insurance company that is a Covered Entity. In such a case, the insurance company must implement risk-based policies, procedures and controls to monitor the activities of the independent agent, as more fully described in 23 NYCRR 500.14.
It also is noted that, like any other Covered Entity, an insurance company may be a Third-Party Service Provider and/or Authorized User with respect to another Covered Entity, including an independent insurance agent.
In all events, each Covered Entity is responsible for thoroughly evaluating its relationships with other entities, to ensure that it is fully complying with all applicable provisions of 23 NYCRR Part 500.