As New York goes, so goes the nation? With regards to cyber security regulations for insurers, that may prove to be true.
On March 1st, New York adopted new cyber security rules for insurers, as well as state-chartered banks and foreign banks licensed in the state. The intention is to provide a uniform approach to online protection.
As often happens once one state introduces new legislation, other states frequently follow suit or the regulations are adopted nationwide. “The New York regulation is a road map with rules of the road,” explains Maria Vullo, superintendent of the New York State Department of Financial Services. Already, the New York regulations are being used as a reference by the National Association of Insurance Commissioners (NAIC) as they finalize a fourth draft of model cyber security guidelines for every jurisdiction. Although you can find the full New York regulation here, this is what might be on the horizon for insurers and banks in other states where legislators decide to follow the New York/NAIC models:
- Specific, mandated steps to protect networks and customer data from hackers
- Required disclosure of cyber events to state regulators
- Proof that third-party vendor security has been scrutinized, including risk assessments of all potential breach points
- Annual compliance certification
While there may be no immediate impact to your organization, we do want to keep you abreast of these new cyber-security requirements, as the same or similar may surface in your own state soon. Please don’t hesitate to contact MJ if you have any questions on this topic, and we’ll continue to monitor for any new state or national regulations, as well as changes to current laws that could impact your online security procedures related to insurance.
Carol J. Scully is the director of strategic risk management at MJ Insurance. With over twenty years of global risk management experience, Carol oversees MJ's comprehensive risk management and risk analysis programming and initiatives.