As the insurance industry has closely followed developments regarding The New York State Department of Financial Services’ (DFS) cybersecurity regulation, concerns remain in terms of how the final regulation, set to go into effect March 1, may impact mid-sized companies in particular.
“It is the mid-sized covered entities that may see the biggest impact, as it’s unlikely they will qualify for an exemption, [they] are more likely to have a meaningful cyber risk profile, and they may not have sufficient resources or budget to meet their obligations,” said Ben Zviti, senior vice president in Marsh’s Financial and Professional Products (FINPRO) Specialty Practice.
The final regulation, which is aimed at protecting New York’s financial services industry from the threat of a cyber attack, serves as the first of its kind in the U.S. It requires banks, insurance companies and other financial services institutions regulated by the Department of Financial Services to establish and maintain a cybersecurity program to protect consumers’ private data and ensure safety within New York’s financial services industry, according to a press release issued by the New York DFS announcing the regulation.
The regulation requires each company overseen by the New York DFS to assess its specific cybersecurity risk profile and design a program that addresses those risks, Zviti said.
“Larger financial institutions, with greater resources in terms of budget and personnel which are already subject to other regulatory cyber requirements, are likely to have already addressed many of the requirements of the regulation – or at the very least, are in the process of addressing them and are less likely to see a big impact,” he said.
Smaller institutions, on the other hand, may qualify for an exemption under the regulation instead, leaving much of the uncertainty regarding impact to the mid-sized companies that may have neither the budget nor the qualifying requirements to comply or be considered exempt.
“There will be a significant amount of work for those entities that are resource challenged, and the costs associated with complying with the regulations will have to be accounted for,” Zviti said. “The costs may be passed on to individuals, may result in an increase in outsourcing cybersecurity functions or could potentially result in entities having to shut down operations.”
Bernie Heinze, executive director at the American Association of Managing General Agents (AAMGA), explained that when the initial proposed regulation was rolled out, AAMGA asked its members what compliance with the regulation may mean for them in terms of cost.
“They came back to us and said, ‘We’re looking at estimates between $65,000 and $85,000 per year of added costs of either employing or designating somebody as a chief information security officer (CISO) and annual costs of risk analysis and penetration testing – those are specialized skills,'” he said. “This is not usually something main street insurance agents, brokers or wholesale specialty insurers will have around.”
Heinze stated that while the final regulation issued March 1 has achieved more flexibility from the initial proposal, additional adjustments may be needed to make it more pragmatic and proportional based upon the nature and scope of each licensee and its operations.
“Banks and other institutions that have social security numbers and health information certainly should be regulated differently than business entities that transact only with name and address information and policy numbers,” he added.
Although the final regulation has evolved by reducing some of the encryption requirements and compliance standards from the initial proposal, which can help to limit costs of compliance, others in the industry believe there is still work to be done as well.
“While some challenges remain, overall the final cybersecurity regulation provides greater flexibility so insurers are able to better adapt to an evolving threat landscape,” said Alison Cooper, Northeast region vice president for The American Insurance Association (AIA), in a statement.
AIA had previously submitted comments to the New York DFS emphasizing the need for greater flexibility so that companies can adapt to the evolving threat landscape and emerging technologies in a manner that best fits their risk profile, according to a press release issued by AIA.
“We emphasized how critical it is for insurers to have the ability to tailor and implement their cybersecurity programs in a risk-based manner,” Cooper said in her statement. “AIA looks forward to working with DFS on the implementation of the regulation so that insurers can continue to do their part in safeguarding against potential cyber-attacks.”
The recommendation that the regulation be flexible enough to recognize differences in operations and avoid subjecting small-to-medium sized businesses and those with little personal data to the same standards as larger institutions has been echoed by others in the industry.
“You have to be flexible and can’t just have it carved in stone,” stated Dianna McCarthy, Partner at Winget, Spadafora & Schwartzberg. “Each business has its own information to protect that other businesses might not have, so a cookie cutter plan won’t work across the board for everybody.”
Another cost concern relates to a potential increase in litigation, especially in the D&O space, according to Angelo Stio, partner in the Litigation and Dispute Resolution Department of Pepper Hamilton LLP.
“I think you may see some litigation challenging the actions of directors and officers with regard to annual certifications, risk assessments, and failing to dedicate assets to reduce risks,” he said. “On this issue, it will be critical for an organization to document its compliance with the regulation and the rationale and actions taken by directors and officers.”
Despite potential challenges, the industry also sees several benefits with the final regulation.
“Cyber-attacks by nation state and for profit actors continue to increase, and financial institutions remain key targets,” Zviti said. “Therefore, from a general perspective, efforts to enhance cybersecurity policies and procedures should help consumers. By performing risk assessments, covered entities will better understand their vulnerabilities, identify their high value data assets, critical vendors, disaster recovery and business continuity plans and become safer.”
Indeed, the regulation’s requirement for financial services institutions to create a written action plan in a crisis situation can be a valuable tool in the event of a data breach, as it offers guidance for companies and takes the guess work out of how to handle a crisis situation, McCarthy added.
“I think [the cybersecurity regulation issued by the New York DFS] might be a way to protect what it feels to be one of its primary infrastructures,” she said. “This is an effort by New York to protect its consumers and its residents.”
Background and Response
The regulation was first proposed in September with a 45-day notice and public comment period ending in November. After considering all comments submitted during that period, the New York DFS issued an updated proposed regulation in December subject to an additional 30-day comment period. The final regulation was announced in February, with transitional periods for compliance from the effective date of March 1 of 180 days up to two years as laid out in the final regulation.
“New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever increasing threat of cyber-attacks,” New York Governor Andrew Cuomo said in a statement. “These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes.”
As the industry awaits the outcome of the final regulation to be fully realized, McCarthy is calling for additional flexibility in terms of how it is implemented.
“I think there will be some flexibility as the New York DFS is getting into the regulation, because it is new to this area too,” she said. “I think there are definitely some more kinks to work out with it, and I do believe they’re trying. The overall goal, which is to promote the protection of customer information, is good and is based on good intentions. I just hope that it’s implemented in a positive fashion.”
Just as New York’s efforts to regulate cybersecurity have evolved, Zviti is also urging companies across all industries to keep pace with the constantly changing world of technology and cyber risk.
“Information security is a process and a journey, not a destination,” he said. “All industries need to face the challenge of constantly evolving to ensure vigilance in awareness and risk mitigation.”
Was this article valuable?