Feb 11, 2019
Final cybersecurity deadline was March 1: Third-party service provider security policy
The last section of New York’s cyber security regulation—500.11: Third-party service provider security policy—goes into effect on March 1, 2019. This section requires all covered entities to implement written policies and procedures designed to ensure that information systems and nonpublic information that are accessible to, or held by, third-party service providers are secure. This means you have to verify that all of your third parties who have access to nonpublic information (e.g., Social Security numbers, policy information, home addresses) have adequate cyber security protections in place to protect such data.
Who is a third party?
The regulation defines a third party as a person who provides service to you (the covered entity) and maintains, processes or otherwise is permitted access to nonpublic information. This means that any outside party that you allow to access your computer system and its nonpublic information is considered a third party (e.g., payroll services, data storage services). The New York State Department of Financial Services has said that covered entities can be third parties of one another, thus carriers and agents are third parties of each other.
Does PIA have resources to help me comply with this section of the regulation?
Yes! PIA has created a sample letter and questionnaire for you to use to evaluate the cyber protections in place by your third-party vendors. This questionnaire can be used as is, or it can be customized for your agency’s specific needs. Association members also have access to information in the cyber security section of its Privacy Compliance Central, which includes in-depth resources the final regulation and how to comply with it; answers to commonly asked questions about this regulation; and QuickSource documents. If you have any additional questions, email PIA’s Industry Resource Center.
Or, you can access PIA’s On-Demand Webinar: NYSDFS’ Cybersecurity Regulations Update: What You Need to Know, which originally aired on Feb. 26.
Don’t want to do it alone?
PIA has partnered with TAG Solutions to offer Compliance Plus and Do-It-Yourself programs for members to help them comply with this regulation. For more information, complete an online form and one of TAG Solutions’ representatives will contact you to discuss your options.