The recently enacted European Union (EU) General Data Protection Regulation (GDPR), the National Association of Insurance Commissioners (NAIC) Model Law and the New York State Department of Financial Services (NYDFS) Cybersecurity Act all address data privacy (the personal information of individuals) and data protection (using such personal information for business objectives), but from different perspectives. The NYDFS and NAIC regulations are focused on the technical requirements of financial service companies to assess cyber risk in their systems, implement additional security and report breaches promptly.
The NYDFS regulation became effective on March 1, 2017. The Department is requiring companies to file Certifications of Compliance with specific sections of 23 NYCRR Part 500 (NY Regulation) according to a timetable of various transition periods (1).
By the end of the one year transitional period, on March 1, 2018 - "Covered Entities," including all New York licensed insurers and brokers, were required to submit a certification and be in compliance with sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of the NY Regulation. The NYDFS will approve certain limited exemptions for Covered Entities. This option is only available for filings for entities of 50 or more employees or captive agents and only if all employees or captive agents qualify for the same exemptions.
Key Reporting Requirements under the NY Regulation
The Chief Information Security Officer (CISO) must report to the full company board to enable the board to assess the Covered Entity's governance, funding, structure and effectiveness and compliance with the NY Regulation.
The required incident response plan of a Covered Entity's cybersecurity program must address external communications, including those to affected customers, in the aftermath of a breach. In addition to the NY Regulation, there is a separate New York information security breach and notification law (General Business Law Section 899-aa) that requires notice to consumers after a breach that affects them.
Under 23 NYCRR 500.17(a)(1), when a data breach constitutes a Cybersecurity Event it must also be reported to the NYDFS. A Covered Entity must report successful cyber attacks and unsuccessful attacks that have or had "a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity" under the reporting requirements of 23 NYCRR Section 500.17(a)(2).
However, regular, almost routine attempts to gain unauthorized access to disrupt or misuse information systems that are thwarted by the Covered Entities' cybersecurity programs are not reportable. A Covered Entity is required to report those unsuccessful attacks that, in the Covered Entity's judgment, are sufficiently serious to raise a concern, such as those requiring extraordinary resources or exceptional attention by senior personnel.
Under 23 NYCRR Section 500.17, a Covered Entity must identify any systems or processes that require material improvement, and document any of its efforts for NYDFS examination.
Statements concerning tax, accounting, legal or regulatory matters should be understood to be general observations based solely on our experience as reinsurance brokers and risk consultants, and may not be relied upon as tax, accounting, legal or regulatory advice, which we are not authorized to provide. All such matters should be reviewed with your own qualified advisors in these areas.
Developments in the Data Privacy Regulatory Landscape (Introduction)
Regulatory Landscape Part I: The New Privacy Order Created by GDPR
Regulatory Landscape Part II: Extra-Territorial Application of GDPR
Regulatory Landscape Part IV: NYDFS Cybersecurity Act - Risk of Third Party Service Providers
Regulatory Landscape Part V: NAIC Model Law
Regulatory Landscape Part VI: California Consumer Privacy Law
Regulatory Landscape Part VII: Conclusion
Notes:
(1) March 1, 2018 - One year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500. September 3, 2018 - Eighteen month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500. March 1, 2019 - Two year transitional period ends. Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11.
See "Key Questions About the Recent Cyber Regulation Notice, https://www.dfs.ny.gov/about/cybersecurity.htm
The NYDFS has also published Frequently Asked Questions to prepare for the implementations deadlines. https://www.dfs.ny.gov/about/cybersecurity_faqs.htm