Members of the insurance and banking sectors are keeping an eye on the New York State Department of Financial Services (NYDFS) as it finalizes revised cybersecurity regulations.
That agency released a draft of its proposed regulation update earlier this year with hopes that changes are more practical and risk-based than the original version proposed in September 2016.
To illustrate the potential ‘butterfly effect’ that these regulation updates in New York could have on financial services operations nationwide, we turned to Adam Hamm, an insurance industry leader with a long history of working on cyber and data security issues.
Hamm, pictured at right, is a managing director in Protiviti’s Risk and Compliance practice serving clients within the financial services industry. He is based in Protiviti’s Chicago office. He has more than 20 years of experience in insurance regulation, cybersecurity and risk management, having previously held U.S. state and federal government senior leadership positions. He served as president of the National Association of Insurance Commissioners (NAIC) and was elected as chairman of the NAIC’s National Cybersecurity Task Force where he spearheaded the development of a comprehensive insurance regulatory framework for cybersecurity in the U.S. Hamm was elected in 2008 to serve a four-year term as the North Dakota Insurance Commissioner and was subsequently re-elected to a second term.
Additionally, Hamm has served on several federal committees, including the U.S. Financial Stability Oversight Committee; the Cybersecurity Forum for Independent and Executive Branch Regulators; and the Financial and Banking Infrastructure Committee. Prior to that, he spent ten years as a prosecutor and civil litigator.
Hamm holds degrees from the University of North Dakota School of Law and Sam Houston State University, where he studied criminal justice.
In his new role with Protiviti, Hamm facilitates risk management, compliance and cybersecurity matters for clients throughout the insurance and financial services industries.
PC360: What do the new NYDFS rules mean for insurance companies, especially property and casualty companies?
Hamm: For the first time, there are a set of very specific cyber regulations that insurance companies will have to follow. At some point after March of 2018, their cybersecurity programs will be thoroughly reviewed by New York's insurance regulator, and the regulator may or may not give advance notice.
PC360: Is there likely to be more impact on smaller companies than large ones?
Hamm: Rather than the regulations causing more or less impact on smaller companies, it will simply be a different impact. On one hand, smaller companies may not have a complete cybersecurity program or policies in place, nor a full time Chief Information Security Officer; on the other, big companies will be challenged to have policies that adequately protect the entire entity as well as challenges overseeing all of their third-party service providers. The bottom line is that the new cyber regulations will present different types of compliance challenges for all regulated entities.
PC360: Our understanding is that every company will have to conduct and comply with a risk assessment. What practical issues does this raise?
Hamm: The main practical issues regarding the risk assessment requirement (Section 500.09) are that companies need to get started as soon as possible in order to complete it by March of 2018, they need to make the documented risk assessment enterprise wide, and they need to tailor how they address cybersecurity in the context of the risks their assessment discovers. By this time next year, companies should at least have a plan in place to address their risks.
PC360: Are there new key terms that insurers should be aware of?
Hamm: While the terms used in the regulations are not new to insurers, one term that is used throughout the regulations may have a substantial impact. The term "material" or "materially" is used in multiple sections of the regulations, including section's 500.01 (definition of "nonpublic information"), 500.04 (Chief Information Security Officer), 500.06 (Audit Trail), 500.16 (Incident Response Plan) and 500.17 (Notices to Superintendent). However, the regulations do not define "material" or "materially," so how the New York Department of Financial Services decides to interpret that term may end up playing a large role in how challenging compliance is for companies.
Adam Hamm suggests that insurance and financial services companies get started as soon as possible on updated cybersecurity compliance. (Photo: iStock)
PC360: Do you have any tips for companies in conducting the risk assessment?
Hamm: Basically the same answer as the question above regarding practical issues — companies need to get started as soon as possible in order to complete the risk assessment by March of 2018, they need to make sure the documented risk assessment is enterprise-wide, and they need to tailor how they address cybersecurity in the context of the risks their assessment discovers.
PC360: Another update: Someone in the C-suite will have to personally certify compliance. What issues will this raise? Do you expect this to have an impact on D&O liability?
Hamm: Appendix A of the regulations lays out the specific certification of compliance language and calls for either the board of directors or a senior officer of the covered entity to sign. The obvious issue this raises is that whoever signs the compliance certification needs to have a thorough understanding of what the covered entity has done to comply with the regulations and that to the best of his/her knowledge, they are indeed compliant. Regarding an impact on D&O liability, it's too early to know if there will be an impact, but it will certainly be something to monitor.
PC360: What other key points do believe insurers should be aware of?
Hamm: Another key compliance issue for companies regarding the new cyber regulations will be how they decide to handle multi-factor authentication (Section 500.12) and encryption of nonpublic information (Section 500.15). While the final regulations are less prescriptive on these issues than earlier drafts, each section may present challenges to companies as they determine how to address these issues within their overall cybersecurity program.