Filed Under:Risk Management, Cybersecurity

Proposed changes to NY cybersecurity regs could affect financial institutions

Insurance companies are covered by these regs.

Insurance companies and their clients may be affected by updated cybersecurity regulations in New York State. After a public comment period, more changes may be forthcoming. (Photo: Shutterstock)
Insurance companies and their clients may be affected by updated cybersecurity regulations in New York State. After a public comment period, more changes may be forthcoming. (Photo: Shutterstock)

The New York State Department of Financial Services (NYDFS) last week issued an updated draft of its cybersecurity regulations after considering submitted comments, issues, and concerns regarding its initial proposal.

Financial institutions should be aware of any modifications to ensure they are up-to-date on the requirements.

The updated regulations appear to be more practical and are more clearly risk-based than the original version proposed in September 2016. Many of its requirements are now linked to each covered entity’s risk assessment, which must be conducted and updated “periodically.”  

Updated regulations


The regulations — which take effect March 1, 2017, following a second 30-day notice and public comment period — apply to banking, insurance and other financial services organizations that fall under the purview of the NYDFS. The regulations have been modified in the following additional key areas:

  • The definition of “nonpublic information,” which is subject to the regulation, has been revised to make it narrower and closer to the more common definitions of “personal information.”
  • Many requirements received extended compliance timelines, ranging from 12 to 24 months compared to the default of six months.
  • Covered entities can comply through an affiliate; therefore, a group of companies need not have multiple programs.
  • Covered entities are no longer required to identifynonpublic information stored in their systems.
  • The requirement to have an annual review of the cybersecurity policy by the board of directors of the covered entity has been removed.
  • Multifactor authentication and encryption of data in transit and at rest are no longer mandatory and are dependent on the risk assessment and the existence of compensating controls.
  • The requirement to conduct quarterly penetration testing has been relaxed to allow for periodic and continuous reviewing, monitoring and testing.
  • The requirements for third-party service providers (TPSPs) have been softened to allow more flexibility in contract negotiations with TPSPs.
  • Incident response plans must only address events “materially” affecting information systems or the continuing functionality of a financial institution’s business or operations, as opposed to any event; similar changes were made to the duty to report “cybersecurity events” to the superintendent.
  • A new confidentiality provision protects covered entities with respect to the information provided in the required annual certification to the New York superintendent of insurance.
  • The exemptions provision has been expanded and also requires that a covered entity that qualifies for an exemption file a notice of exemption.

Pending the public comment period, there may be more changes coming to the regulation. Financial institutions operating in New York should review the updated proposed regulation against existing policies and procedures to ensure compliance and mitigate against potential fines or penalties.

Work with your insurance advisors to understand how insurance — including cyber liability — can help you mitigate and transfer these risks.

Related: New York regulator rolls out cybersecurity proposals for insurance, banks

Ben Zviti is senior vice president, in Marsh’s Financial and Professional Products (FINPRO) Specialty Practice. He can be reached at ben.zviti@marsh.com. This article first appeared on Marsh.com and is reprinted here with permission. Visit the Marsh Risk in Context blog for the original post.

Featured Video

Most Recent Videos

Video Library ››

Top Story

5 strategies to reduce property vandalism

Simple steps can make a property less enticing to vandals.

Top Story

10 things your clients need to know about dust storms and ‘haboobs’

Sand storms don't just happen in the Sahara Desert. They can be a byproduct of severe thunderstorms anywhere. Here's what you and your clients need to know.

More Resources

Comments

eNewsletter Sign Up

PropertyCasualty360 Daily eNews

Get P&C insurance news to stay ahead of the competition in one concise format - FREE. Sign Up Now!

Mobile Phone

Advertisement. Closing in 15 seconds.