Come August 28, any insurance company, agency, insurance brokerage firm or individual insurance professional licensed to do business in New York will be required to maintain a written cyber security policy.
Also under the new regulation, the cyber security programs will need to include regular risk assessments as of March 1, 2018.
“This new regulation is expected to increase compliance costs considerably,” said Larry Hamilton, a partner at Mayer Brown in Chicago who is focused on the insurance industry. “Many entities will have to hire additional personnel with the necessary qualifications as well as implement additional programs beyond what they already have.”
A number of high-profile cyber breaches targeting companies including Target, Home Depot and Anthem Health prompted the regulation, according to Antony Haynes, associate dean and head of cyber security and data privacy programs at Albany Law School. “The regulators' point of view is very simple,” Haynes told Financial Advisor magazine “They're protecting consumers from having their private data, Social Security numbers, health-care information and financial records revealed and exploited by cyber criminals."
Haynes, who has followed the development of the regulation over the past three years, added that the thinking behind the rule is that New York is a "global financial powerhouse for the entire planet and it has a responsibility to take the lead in setting an example.”
Insurance businesses and insurance professionals that do not maintain office space in New York but conduct business in the state are also subject to the new rules.
“Smaller businesses are exempt from some of the requirements, but by no means all of them,” Hamilton said. “If you’re licensed to sell insurance in New York, many of the rules apply to you no matter what size your business is.”
Some firms don't view the regulations as a burden. The rules, which will be enforced by the N.Y. Department of Financial Services (NYDFS), dovetail with measures that were already begun at insurance broker Burns & Wilcox, an executive at the firm said.
“Having a cyber security program in place, penetration testing and accommodating multi-factor authentication are all controls we've been either planning or already implementing," said David Derigiotis, director of professional liability and corporate vice president at Burns & Wilcox, an international wholesale insurance broker and underwriting manager.
Like other insurance organizations that have operations in New York, Burns & Wilcox prefers to be safe than sorry, he said.
“The cost of a data breach, the fines associated with non-compliance and having the premiums increase within our insurance portfolio is much higher than the upfront investment in time and energy required to be compliant,” Derigiotis said.
Although the controls the law requires are not new to most major insurers, the reporting that's required is, said Charlie Jacco, principal and financial services leader at KPMG Cyber Services.
“Insurers now have added strain to their IT risk management and internal audit groups because they are required to report to an additional regulatory body and they may not have the metrics in place to do so,” Jacco said. “It’s the smaller insurers and insurance agents, however, that will be most affected by these new requirements.”
Of the 27,000 licensed insurance agencies or firms in the U.S., 17,000 are in the state of New York and 10,000 are non-residents but maintain a New York license, according to the Independent Insurance Agents & Brokers of America (IIABA) in Washington D.C.
“It seems likely there will be some universe of entities that will opt to relinquish licenses as opposed to comply with the regulation,” said Wes Bissett, senior counsel of government affairs with the IIABA. “It depends somewhat on the additional guidance that comes from the department in New York. Right now a lot of people are scratching their heads about exactly what they're going to need to do to achieve compliance.”
The first thing insurance companies should do is designate a chief information security officer who reports to the board of directors, said Jim Ambrosini, managing director of cyber security with CohnReznick Advisory,
“Entities that are covered by these new regulations need to start now to instill greater piece of mind and confidence for stakeholders and to potentially create a competitive business advantage," Ambrosini said.