Nov 3, 2016

Independent agents need to prepare for NYDFS cybersecurity regulations

The New York State Department of Financial Services recently published draft regulations addressing cybersecurity in the financial sector. Described as "first in the nation," the regulations are broad and reach beyond core financial institutions, such as banks and lenders. The regulations affect all entities and individuals licensed by the NYDFS, including agents and brokers.

PIANY conducted a survey of its membership to assess levels of readiness for the minimum standards of the regulation and found that independent agents and brokers need to prepare for these complex cybersecurity compliance regulations.

Respondents were evenly split—52 percent responded "yes" and 48 percent responded "no"—with regard to whether or not they qualified for the "limited exemption" afforded in the regulation for agencies that currently have fewer than 1,000 customers in each of the last three calendar years, and less than $5 million in gross annual revenue in each of the last three fiscal years, and less than $10 million in year-end total assets, including assets of all affiliates. Qualifying for the "limited exemption" only excludes agencies from nine out of the 20 requirements of the regulation.

The survey also found that 76 percent of independent agents who responded to the survey do not have a cybersecurity program designed to ensure the confidentiality, integrity and availability of their information system; and the ability to detect and respond to, recover from and report cybersecurity events; and a written cybersecurity policy setting forth procedures for the protection of their information systems and nonpublic information stored on these systems.

Sixty-three percent of respondents do not have the ability to at least annually conduct a risk assessment of their information systems. Sixty-six percent of respondents do not have written policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third parties doing business with their agency.

However, of the agents who responded to the survey, 80 percent currently have policies and procedures for the timely destruction of any nonpublic information that is no longer necessary. But only 33 percent of respondents have policies and procedures for the timely notification of the superintendent of any cybersecurity event that has a reasonable likelihood of materially affecting the normal operation of an agency or that affects nonpublic information.

Accordingly, PIANY believes too many individuals and entities would be subject to this regulation. The NYDFS lists more than 2,000 licensed entities that would need to comply with these requirements. Moreover, the threshold for qualifying for the limited exemption is too low. The limited exemption for entities with 1,000 policies must be expanded to exempt small businesses from the most costly and onerous parts of the regulation. PIANY suggests adopting a threshold of 100 employees to be subject to any portion of this new regulation. All licensees already are subject to the cybersecurity provisions of Regulation 173 in New York.

PIANY also believes the requirements to ensure third-party provider compliance are unrealistic; the definition of "protected information" in the regulation is too broad; the required reporting of cybersecurity events would require hundreds of reported incidents every day; and the 72-hour reporting requirement for any "cybersecurity event" is unrealistic and could be harmful to combatting cybercriminals and events.

PIANY is preparing substantive legal comments to submit to the NYDFS during the 45-day comment period and is scheduled to meet for a second time with NYDFS staff to explain the damaging effects the adoption of this regulation would have upon independent insurance agents and brokers.