National Aug 10, 2018
NYDFS responds to industry letter on third party service provider issue
As previously reported, PIANY recently sent a joint letter to the New York Department of Financial Services as part of a coalition of producer groups. The letter asked for clarification on whether a producer would be considered a third party service provider or an authorized user of a carrier (and vice versa) under New York State’s cybersecurity regulation.
The NYDFS responded to this letter by updating its cybersecurity regulation FAQ. DFS stated: “A producer can be considered a Covered Entity, an Authorized User, and a Third Party Service Provider depending on the facts and the circumstances.”
The NYDFS stated that a DFS-licensed independent agent that works with multiple insurance companies is a Covered Entity with its own obligation to establish and maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of its Information Systems and Nonpublic Information. See 23 NYCRR 500.02 (23 NYCRR Part 500).
In addition, when the independent agent holds, or has access to, any Nonpublic Information or Information Systems maintained by an insurance company it works with (for example, for quotations, issuing a policy or any other data or system access), the independent agent will be a Third-Party Service Provider. This may only happen with respect that the insurance company; and the insurance company, as a Covered Entity, will be required under 23 NYCRR 500.11 to have written policies and procedures to ensure the security of its Information Systems and Nonpublic Information that are accessible to, or held by, the independent agent (including but not limited to risk based policies and procedures for minimum cybersecurity practices, due diligence processes, periodic assessment, access controls and encryption).
Further, an independent agent also will be an Authorized User if it participates in the business operations, and is authorized to use any Information Systems and data, of an insurance company that is a Covered Entity. In such a case, the insurance company must implement risk-based policies, procedures and controls to monitor the activities of the independent agent, as more fully described in 23 NYCRR 500.14.
It is also noted that, like any other Covered Entity, an insurance company may be a Third Party Service Provider and/or Authorized User with respect to another Covered Entity, including an independent insurance agent.
In all events, each Covered Entity is responsible for thoroughly evaluating its relationships with other entities, in order to ensure that it is fully complying with all applicable provisions of 23 NYCRR Part 500.