Filed Under:Agent Broker, Sales & Marketing

Proposed changes to NY cybersecurity regs could affect financial institutions

Insurance companies are covered by these regs.

Insurance companies and their clients may be affected by updated cybersecurity regulations in New York State. After a public comment period, more changes may be forthcoming. (Photo: Shutterstock)
Insurance companies and their clients may be affected by updated cybersecurity regulations in New York State. After a public comment period, more changes may be forthcoming. (Photo: Shutterstock)

The New York State Department of Financial Services (NYDFS) last week issued an updated draft of its cybersecurity regulations after considering submitted comments, issues, and concerns regarding its initial proposal.

Financial institutions should be aware of any modifications to ensure they are up-to-date on the requirements.

The updated regulations appear to be more practical and are more clearly risk-based than the original version proposed in September 2016. Many of its requirements are now linked to each covered entity’s risk assessment, which must be conducted and updated “periodically.”  

Updated regulations

The regulations — which take effect March 1, 2017, following a second 30-day notice and public comment period — apply to banking, insurance and other financial services organizations that fall under the purview of the NYDFS. The regulations have been modified in the following additional key areas:

  • The definition of “nonpublic information,” which is subject to the regulation, has been revised to make it narrower and closer to the more common definitions of “personal information.”
  • Many requirements received extended compliance timelines, ranging from 12 to 24 months compared to the default of six months.
  • Covered entities can comply through an affiliate; therefore, a group of companies need not have multiple programs.
  • Covered entities are no longer required to identifynonpublic information stored in their systems.
  • The requirement to have an annual review of the cybersecurity policy by the board of directors of the covered entity has been removed.
  • Multifactor authentication and encryption of data in transit and at rest are no longer mandatory and are dependent on the risk assessment and the existence of compensating controls.
  • The requirement to conduct quarterly penetration testing has been relaxed to allow for periodic and continuous reviewing, monitoring and testing.
  • The requirements for third-party service providers (TPSPs) have been softened to allow more flexibility in contract negotiations with TPSPs.
  • Incident response plans must only address events “materially” affecting information systems or the continuing functionality of a financial institution’s business or operations, as opposed to any event; similar changes were made to the duty to report “cybersecurity events” to the superintendent.
  • A new confidentiality provision protects covered entities with respect to the information provided in the required annual certification to the New York superintendent of insurance.
  • The exemptions provision has been expanded and also requires that a covered entity that qualifies for an exemption file a notice of exemption.

Pending the public comment period, there may be more changes coming to the regulation. Financial institutions operating in New York should review the updated proposed regulation against existing policies and procedures to ensure compliance and mitigate against potential fines or penalties.

Work with your insurance advisors to understand how insurance — including cyber liability — can help you mitigate and transfer these risks.

Related: New York regulator rolls out cybersecurity proposals for insurance, banks

Ben Zviti is senior vice president, in Marsh’s Financial and Professional Products (FINPRO) Specialty Practice. He can be reached at This article first appeared on and is reprinted here with permission. Visit the Marsh Risk in Context blog for the original post.

Featured Video

Most Recent Videos

Video Library ››

Top Story

6 behaviors that could spawn a sexual harassment lawsuit

Sexual harassment scandals loom large among the events that shaped 2017.

Top Story

2017's 10 most hazardous toys

The Boston-based nonprofit World Against Toys Causing Harm, Inc. (W.A.T.C.H.) has released its annual list of the 10 worst toys of 2017.

More Resources


eNewsletter Sign Up

Agent & Broker Insider eNewsletter

Proven success tips and essential information to help agents and brokers grow their practice – FREE. Sign Up Now!

Mobile Phone

Advertisement. Closing in 15 seconds.