New York Proposes ‘Flexible’ Cybersecurity Regulation for Insurers, Banks

By Elizabeth Blosfield | September 15, 2016

The New York State Department of Financial Services (DFS) has proposed cybersecurity regulation for financial services companies that aims to protect New York state’s financial services industry from an increasing risk of cyber attacks, Governor Andrew Cuomo announced.

The proposed regulation is the first of its kind in the U.S. It requires banks, insurance companies and other financial services institutions that are regulated by the Department of Financial Services (DFS) to establish and maintain a cybersecurity program designed to protect consumers and ensure safety within New York’s financial services industry, according to a DFS press release.

The proposal, which allows firms to create and enforce their own programs as long as they meet minimum certification standards, also requires employee training in cybersecurity to prevent human errors.

The proposal is subject to a 45-day notice and public comment period before its final issuance.

“New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises,” said Cuomo in a public statement. “This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible.”

The insurance industry is pleased the proposal incorporates flexibility.

 Gov. Andrew Cuomo
Gov. Andrew Cuomo

Attempts to regulate an ever-changing cyber industry presents challenges, said Ellen Melchionni, president at New York Insurance Association Inc., a state trade association representing the property/ casualty insurance industry.

“You could put new regulations out today, but the cyber industry could change a week from now,” she explained. “We have strongly cautioned the DFS against any one-size-fits-all approach. The DFS has listened to our perspective on this issue, and we appreciate its attentiveness in this matter of cybersecurity.”

Indeed, the proposal outlines a plan to establish more robust cybersecurity regulation without being overly-prescriptive in order to keep pace with future changes in technology, an approach that Melchionni believes is imperative in any final ruling.

“I think there are different sophistication levels for different companies of different sizes, so having some flexibility is critical,” she said.

The proposed regulation requires each company to assess its risk profile and design a program that uniquely addresses its needs. It calls on senior management to oversee company cybersecurity programs and file annual certification confirming compliance with the regulations.

This move toward heightened cybersecurity regulation comes as the DFS has closely monitored increasing cyber risk as criminals seek to gain sensitive electronic data by capitalizing on advances in technology. The state sees its financial services industry as a significant target for cyber threats, and while many firms have proactively increased cybersecurity programs, regulators believe more rigorous standards must be set.

Ellen Melchionni
Ellen Melchionni

“Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted,” the proposal explains. “It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs. The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark.”

Recognizing Human Error

Cyber attacks, data breaches and hacking are of increasing concern to businesses. However, the evolution of technology has also shed light on a different cybersecurity issue: misuse.

“As technology has evolved, we’re also seeing an evolution in people and businesses understanding their exposure with regard to cybersecurity protection,” said Dena Cusick, national practice leader with Wells Fargo Insurance’s Technology, Privacy and Network Risk National Practice. “But along with the evolution of knowledge and technology, human error has increased.”

A 2016 network security and data privacy study released by Wells Fargo Insurance found that employee misuse of technology increased seven percent over the past year.

“It’s important to make sure organizations understand all the places data can hide,” she said. “It can be as simple as the loss of information on paper. We get so ‘new school’ that we tend to forget how to organize the things we write down too. We need to make sure we’re educating employees on all levels, from the CEOs down to the temps.”

With this in mind, the proposed regulation in New York will require all company personnel to attend regular cybersecurity awareness training sessions, an area the Wells Fargo study found to be lacking in many businesses. The study revealed that two out of 10 companies do not have an employee awareness training program, while 15 percent don’t require any training for employees.

Insurance Industry Perspective

As New York state begins to take a closer look at these issues, insurance companies should follow suit, since greater connectivity can present more risk of business interruption, Cusick added.

“I think the insurance industry needs to really address this gap that exists between physical business interruption and technology-based business interruption,” she said. “One thing that’s currently happening more every day is that insurance carriers are offering value add services equivalent to requiring buildings to have sprinklers. They’re doing similar things for cyber risk, such as requiring businesses to improve employee awareness training.”

As technology continues to evolve, insurance companies will need to review the impact of cyber risk from a coverage standpoint and determine whether to offer cyber insurance as a product and what the coverage is going to look like, according to Melchionni.

“Insurance companies are in the business of risk, so assessing potential issues is inherent to the nature of our work,” she stated. “We’ve learned from a number of breaches that have happened across the country that responding to security threats is a continual learning process.”

About Elizabeth Blosfield

Elizabeth Blosfield is the East region editor at Insurance Journal.

Was this article valuable?

Here are more articles you may enjoy.