Examining the Recently Introduced New York Department of Financial Services Regulation

Posted by Mark Greisiger

A Q&A with Alice Kane and Philip Goldstein of Duane Morris, LLP

Acknowledging the degree to which cyber theft poses a threat to the insurance industry, the New York Department of Financial Services (NYDFS) issued a proposed cybersecurity regulation in September. We talked to Alice Kane and Philip Goldstein, attorneys at Duane Morris, LLP about the regulation and its implications for the insurance industry.

Organizations need to take this seriously and comply not because of potential penalties but because this is something everyone must do in this day and age.

Can you give a high level overview of why New York is coming out with this regulation?
The NYDFS started to do surveys of the entities they regulate—banks and insurance companies—and came up with separate reports for each industry. They saw that cyber threats were important and growing, and as a result they issued this regulation to address the security for insurance companies.

What are the key components or standards required by this proposed regulation?
The major ones are:

  • Insurance and financial services organizations are now required to have a written cybersecurity policy and incident response plan
  • The organizations must have a chief information security officer (CISO) who must implement the cybersecurity policy and incident response plan
  • The incident response plan must be certified by either the board or senior officer annually
  • If there’s an incident the organization must report it to the regulator within 72 hours
  • Third-party vendors are required to ensure data security including multifactor authentication

Can you speak to why a data breach response plan is vital?
It would be harder to explain not having one these days. Data breaches are not anomalies. Attacks come on fast when they happen and organizations need to be ready to respond at all levels. A good response plan should address top management as relates to the policy and when and how to give notice to consumers, regulators and law enforcement in the event of a breach. It should also address public relations because as we have seen, there are huge ramifications for organizations’ public image.

Is there any anticipated pushback from the private sector about the breadth or strictness of the regulation?
The comment period ends on November 14, 2016 and we expect to see some pushback.

Are there any known or anticipated penalties for non-compliance?
The regulation itself doesn’t have a specific penalty but under insurance law the Department will establish the fines and penalties for violations. However, organizations need to take this seriously and comply not because of potential penalties but because this is something everyone must do in this day and age.

Do you have any takeaway advice for a corporate risk manager who is concerned about future data breach events and wants to maintain good faith compliance with regulations?
The risk manager just got a great ally in that companies are now required to have a CISO who has technical IT expertise. This is experience that risk managers don’t typically have. This regulation gives risk managers an agenda and direction and it requires other members of the organization to bear some responsibility. They need to know what’s expected of them and they must recognize that these practices don’t guarantee that data breaches won’t happen—this is a minimum standard being put into place.

In summary…
We want to thank Ms. Kane and Mr. Goldstein for their concise summary on this topic and what looks to be yet another emerging “standard of care” for the purposes of safeguarding sensitive customer data and records. Of interest especially is the granular tactic NY State has taken in requiring certain safeguard and response controls/processes such as having an affirmative written data breach response plan. We have seen firsthand that the cyber liability insurance industry often requires a data breach plan from policyholders. It’s important to keep in mind that an effective data breach response crisis plan goes above and beyond the standard “disaster recovery plan” (which many organizations may have but is often focused on the physical world). The data breach response plan is a roadmap for dealing with a data breach crisis event involving legal requirements and providing assistance to victims impacted by the breach. These can be complex matters to address and should be guided by a knowledgeable Breach Coach® lawyer. In short, the comment by these experts —“It would be harder to explain not having one these days”— is spot on!

For more information about building a data breach response plan and NetDiligence’s Breach Plan Connect™ solution, visit Incident Response at the NetDiligence website.