Join PIA
PIA
Professional Insurance Agents
Members-only

Employees of PIA member agencies may log on below:

Remember me

Register for PIA website | Password help

News and publications

National Feb 10, 2017

NYS cybersecurity regulation: What you need to know, how PIA is helping

PIA is working with a vendor to develop and offer a product to help agents which do business in New York state comply with new regulations being adopted by New York’s Department of Financial Services. Since the regulation is slated to take effect on March 1, but the draft has yet to be finalized, we can’t say for sure what final changes will be adopted. But, we are working to ensure that a product is available to you as soon as you need to be in compliance.

Looking through the requirements of the regulation, you should notice a few things:

1.    ALL LICENSED ENTITES/PERSONS ARE SUBJECT TO THIS REGULATION—Covered Entity means any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.

2.    Some Covered Entities may qualify for a "Limited Exemption" to some of the requirements of the regulation:

    • fewer than 10 employees (instead of <1,000 customers), OR          
    • less than $5 million in gross annual revenue, OR
    • less than $10 million in year-end total assets.

 Covered entities claiming the exemption will be required to file an exemption notice with the NYDFS.

3.    Entities qualifying for the "Limited Exemption" will still be required to comply with the following six  provisions:

    • establishing a Cybersecurity Program and implementing Cybersecurity Policies designed to protect its Information Systems;
    • limiting and periodically reviewing Access Privileges;
    • conducting periodic Risk Assessments of Information Systems [starting March 2018];
    • implementing policies and procedures to secure information accessible to Third-Party Service Providers [starting March 2019];
    • establishing policies for Disposal of Nonpublic Information no longer needed; and
    • providing Notice to the Superintendent of a Cybersecurity Event.

4.    This revised "Limited Exemption" definition WILL EXEMPT those qualifying Covered Entities from:

    • designation of a Chief Information Security Officer;
    • penetration testing and vulnerability assessments [starting March 2018];
    • establishment of an Audit Trail [starting September 2018];
    • application security [starting September 2018];
    • employment of Cybersecurity Personnel;
    • multi-factor authentication [starting March 2018];
    • training of employees [starting March and September 2018 and monitoring of authorized users];
    • encryption of data [starting September 2018 at rest and in transit]; and
    • development of an Incident Response Plan.

5.    The effective date is March 1, but many of the individual provisions are phased in over time: 12 months, 18 months or 24 months.

6.    The regulation includes a 180-day period of time for regulated entities to become compliant—Covered Entities shall have 180 days from the effective date of the proposed rule to comply with its requirements.

7.    The degree to which the regulation will impact your agency is to be determined by an individual "Risk Assessment" of your agency’s information system. It is upon the results of this risk assessment that many of the requirements of the regulation are premised. Each Covered Entity shall conduct a periodic Risk Assessment of the Covered Entity’s Information Systems sufficient to inform the design of the cybersecurity program as required by this Part.

8.    All Covered Entities will be required to annually prepare and submit a Certification of Compliance pursuant to Section 500.17 commencing Feb. 5, 2018.

9.    Notice is required within 72 hours of a determination that a Cybersecurity Event as follows has occurred:

    • Cybersecurity Events of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body, and
    • Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.

10. Each Covered Entity shall maintain a Cybersecurity Program designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems. The cybersecurity program shall be based on the Covered Entity’s Risk Assessment.

11. Cybersecurity Policy: Each Covered Entity shall implement and maintain a written policy or policies, approved by a Senior Officer or the Covered Entity’s board of directors (or an appropriate committee thereof) or equivalent governing body, setting forth the Covered Entity’s policies and procedures for the protection of its Information Systems and Nonpublic Information stored on those Information Systems.

12. Pending the public comment period, there may be more changes coming to the regulation.

NATIONAL CONNECTICUT NEW HAMPSHIRE NEW JERSEY NEW YORK Vermont PIA in the News