Why Should Insurers Care about New York’s Cybersecurity Regulations?

While the rollout of New York’s cybersecurity regulations is well underway, September 4, 2018, marked the eighteen-month transitional deadline, and now all sections of part 500 of the regulation are effective. The timeline for compliance with the New York regulation is based on the following schedule:

March 1, 2017
Establish a cybersecurity program
Create and maintain a written cybersecurity policy
Designate a chief information security officer
Utilize cybersecurity personnel to manage the entity’s cyber risks
Establish an incident response plan

February 15, 2018
File cybersecurity report with regulators
Perform penetration testing and perform vulnerability assessments
Conduct bi-annual risk assessment

September 4, 2018
Establish and maintain audit trails
Implement application security protocols

New York was the first state to adopt cybersecurity regulations with initial compliance beginning in August 2017. On October 24, 2017, the National Association of Insurance Commissioners (NAIC) approved the Insurance Data Security Model Law, which is a legal framework requiring insurance companies to operate cybersecurity programs. The Insurance Data Security Model Law incorporates many of the requirements of the New York regulation. Legislation based on the Insurance Data Security Model Law has been adopted in South Carolina and Rhode Island and is likely to be adopted by other states soon.

As the landscape continues to change, cybersecurity is something that insurers need to address. For entities without a cybersecurity program, it needs to become a reality. If you need assistance implementing a cybersecurity program as part of your enterprise risk management program or developing formal policies to address these risks, JLK Rosenberger can help.