August 7th, 2018

Regulatory Landscape Part III: New York Department of Financial Services Regulation

Posted at 2:00 AM ET

The recently enacted European Union (EU) General Data Protection Regulation (GDPR), the National Association of Insurance Commissioners (NAIC) Model Law and the New York State Department of Financial Services (NYDFS) Cybersecurity Act all address data privacy (the personal information of individuals) and data protection (using such personal information for business objectives), but from different perspectives. The NYDFS and NAIC regulations are focused on the technical requirements of financial service companies to assess cyber risk in their systems, implement additional security and report breaches promptly.

The NYDFS regulation became effective on March 1, 2017. The Department is requiring companies to file Certifications of Compliance with specific sections of 23 NYCRR Part 500 (NY Regulation) according to a timetable of various transition periods (1).

By the end of the one year transitional period, on March 1, 2018 - “Covered Entities,” including all New York licensed insurers and brokers, were required to submit a certification and be in compliance with sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of the NY Regulation. The NYDFS will approve certain limited exemptions for Covered Entities. This option is only available for filings for entities of 50 or more employees or captive agents and only if all employees or captive agents qualify for the same exemptions.

Key Reporting Requirements under the NY Regulation

The Chief Information Security Officer (CISO) must report to the full company board to enable the board to assess the Covered Entity’s governance, funding, structure and effectiveness and compliance with the NY Regulation.

The required incident response plan of a Covered Entity’s cybersecurity program must address external communications, including those to affected customers, in the aftermath of a breach. In addition to the NY Regulation, there is a separate New York information security breach and notification law (General Business Law Section 899-aa) that requires notice to consumers after a breach that affects them.

Under 23 NYCRR 500.17(a)(1), when a data breach constitutes a Cybersecurity Event it must also be reported to the NYDFS. A Covered Entity must report successful cyber attacks and unsuccessful attacks that have or had “a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity” under the reporting requirements of 23 NYCRR Section 500.17(a)(2). However, regular, almost routine attempts to gain unauthorized access to disrupt or misuse information systems that are thwarted by the Covered Entities’ cybersecurity programs are not reportable. A Covered Entity is required to report those unsuccessful attacks that, in the Covered Entity’s judgment, are sufficiently serious to raise a concern, such as those requiring extraordinary resources or exceptional attention by senior personnel.

Under 23 NYCRR Section 500.17, a Covered Entity must identify any systems or processes that require material improvement, and document any of its efforts for NYDFS examination.

Statements concerning tax, accounting, legal or regulatory matters should be understood to be general observations based solely on our experience as reinsurance brokers and risk consultants, and may not be relied upon as tax, accounting, legal or regulatory advice, which we are not authorized to provide. All such matters should be reviewed with your own qualified advisors in these areas.

Developments in the Data Privacy Regulatory Landscape (Introduction)

Regulatory Landscape Part I: The New Privacy Order Created by GDPR

Regulatory Landscape Part II: Extra-Territorial Application of GDPR

Regulatory Landscape Part IV: NYDFS Cybersecurity Act - Risk of Third Party Service Providers

Regulatory Landscape Part V: NAIC Model Law

Regulatory Landscape Part VI: California Consumer Privacy Law

Regulatory Landscape Part VII: Conclusion

Click here to register to receive e-mail updates >>

(1) March 1, 2018 - One year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500. September 3, 2018 - Eighteen month transitional period ends. Covered Entities are required to be in compliance with the requirements of secĀ­tions 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500. March 1, 2019 - Two year transitional period ends. Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11. See “Key Questions About the Recent Cyber Regulation Notice, The NYDFS has also published Frequently Asked Questions to prepare for the implementations deadlines.

AddThis Feed Button
Bookmark and Share

Related Posts