National Jan 15, 2018

You're not done with your agency's cybersecurity requirements yet

What you need to know about third-party service provider policy requirements

All insurance agents, brokers and companies that are licensed in New York state are subject to comply with the New York State Department of Financial Services’ cybersecurity regulation requirements, which have a number of deadlines to achieve complete compliance. This includes nonresident licensees.

If you’ve been meeting all the deadlines, your agency has filed its limited exemption; prepared its cybersecurity program and policy; and even completed a risk assessment of its computer information system. You’ve also filed your certification of compliance with the NYDFS via its online portal and you’re thinking that you must be done with all of this cybersecurity business. You can go back to running your agency, right? Not so fast.

You still have to ensure compliance with all of the third parties that you share nonpublic information between now and March 2019. This includes your agency management system provider; your insurance carriers; and a host of other companies, such as those that run your driver history reports. The specific requirements are contained in Section 500.11 Third-Party Service Provider Security Policy.

The third-party service provider policy requirements of the regulation require each covered entity (licensed individual or entity) to implement written policies and procedures designed to ensure the security of information systems and nonpublic information that are accessible to, or held by, third-party service providers. Like your cybersecurity program and policy, these policies and procedures are to be based on your entity’s risk assessment and are required to address:

1. the identification and risk assessment of third-party service providers;

2. minimum cybersecurity practices required to be met by such third-party service providers in order for them to do business with the covered entity;

3. due diligence processes used to evaluate the adequacy of cybersecurity practices of such third-party service providers; and

4. periodic assessment of such third-party service providers based on the risk they present and the continued adequacy of their cybersecurity practices.

The policies and procedures are required to include relevant guidelines for due diligence and/or contractual protections relating to third-party service providers including to the extent applicable guidelines addressing:

1. the third-party service provider’s policies and procedures for access controls, including its use of multifactor authentication as required by Section 500.12 of this part, to limit access to relevant information systems and nonpublic information;

2. the third-party service provider’s policies and procedures for use of encryption as required by Section 500.15 of this part to protect nonpublic information in transit and at rest;

3. notice to be provided to the covered entity in the event of a cybersecurity event directly impacting the covered entity’s information systems or the covered entity’s nonpublic information being held by the third-party service provider; and

4. representations and warranties addressing the third-party service provider’s cybersecurity policies and procedures that relate to the security of the covered entity’s information systems or nonpublic information.

There is a limited exception for agents, employees, representatives or designees of a covered entity that is itself a covered entity. These persons need not develop their own third-party information security policy if the agent, employee, representative or designee follows the policy of the covered entity that is required to develop a third-party information security policy.

Simple certification of compliance is not enough

Some members have asked PIA if a covered entity utilizes another covered entity (not related to Covered Entity A) as a third-party service provider, and the second covered entity provides the first covered entity with evidence of its certification of compliance with the NYDFS cybersecurity regulation, would that be considered adequate due diligence under the due diligence process required by Section 500.11(a)(3).

According to the NYDFS, this would not be considered adequate due diligence. The department has emphasized the importance of a "thorough due diligence process" in evaluating the cybersecurity practices of a third-party service provider. Solely relying on the certification of compliance will not be adequate due diligence according to the NYDFS. Covered entities must do more. They are required to assess the risks each third-party service provider poses to their data and systems and effectively address those risks.

The department has provided a two-year transitional period to address these risks and expects covered entities to have completed a thorough due diligence process on all third-party service providers by Thursday, March 1, 2019. Make a list of all the entities that you share nonpublic information with and contact your cybersecurity provider today to get a head start on this process.

For more information, see PIA’s Cybersecurity Central or the NYDFS cybersecurity regulation FAQs.