Deadline Now Oct. 30 for New York State Licensees to Submit Cyber Notices

  • By:
  • September 22, 2017

By: Wes Bissett

Earlier this year, the New York Department of Financial Services (NYDFS) promulgated a data security regulation that will take effect in stages over the next two years. Its requirements impose new obligations on every resident and nonresident insurance agency—and every resident and nonresident individual—licensed by New York.

Several notable elements of the regulation took effect in late August, and all agencies and individual agents licensed in New York now face additional reporting obligations. New York initially announced that action must be taken by September 27, but the deadline has been extended to October 30.

For Agencies – Most of the requirements outlined in the regulation apply broadly to every resident and nonresident licensee, but there are a series of heightened requirements that also apply to a small universe of larger entities. An entity must comply with the additional mandates unless it has (1) fewer than 10 employees (including independent contractors), (2) less than $5 million in gross annual revenue, or (3) less than $10 million in year-end total assets. Most independent agencies will satisfy one of these three criteria and be exempt from the extra requirements, but New York regulators are nevertheless requiring such entities to file a notice of limited exemption with the state. In short, any New York-licensed insurance agency that qualifies for the limited exemption and does not want to be subject to the heightened requirements must file a notice with the state before the revised deadline. The filing must be made through the NYDFS website, and information explaining how to submit the notice can be found here.

For Individual Agents – New York regulators have also decided that individual agents must either develop their own cybersecurity programs or be covered by a program implemented and maintained by their affiliated agencies. Since the development of a cybersecurity program is an enterprise-level endeavor, it is unlikely that any individual agents will be complying with the regulation on their own. They will instead be relying on their agencies to institute an appropriate program that satisfies the obligations imposed by the regulation. Nevertheless, New York regulators are requiring all individual licensees who do not develop their own personal cybersecurity programs to file a notice of exemption with the state. As a result, and in order to eliminate the possibility of being deemed non-compliant and fined, all New York-licensed insurance agents who are covered by cybersecurity program of their agencies will want to satisfy this reporting requirement. These filings must also be made via the NYDFS website, and information explaining how to complete this process can be found here.

The exemption filings described here need only be filed once, but they must now be made by October 30. If circumstances change and either the agency or the individual agent no longer qualifies for an exemption identified in the filing, then the entity or individual will have 180 days to comply with the all applicable elements of the regulation. In addition to the exemption filing requirements, covered entities must also satisfy a separate annual “certificate of compliance” filing requirement beginning on February 15, 2018. This annual compliance filing will also be made through the NYDFS online portal.

Although implementation of this cybersecurity regulation has been unnecessarily cumbersome and confusing and there is no discernable benefit associated with these tedious and bureaucratic notice requirements, New York resident and nonresident licensees must comply with the new mandates and make the required filings. IIABA’s New York affiliate, the Big I New York, has developed some very helpful materials and tools that explain the new mandates and provide compliance assistance. The Big I New York’s resources can be found here, and the Agents Council for Technology has also created an Agency Cyber Guide that is also available online. Any member agents with questions about the New York cybersecurity regulation and related issues may contact the author at wes.bissett@iiaba.net.

Wes Bissett is the Big “I” senior counsel of government affairs.

The June issue is out now!

Look Inside

Related

AN Radio: Young Agents on the Rise

  • Podcasts

Big ‘I’ Releases Trusted Choice® Legal System Abuse Toolkit

How Giving Advice and Making Representations Can Be Risky Business for Agents

  • Markets

From the Front Lines: Commercial General Liability

  • Markets
  • Viewpoints

How Key Factors Within the Commercial Liability Market Are Impacting Stability

  • Markets

Big ‘I’ President & CEO Highlights Tax Reform, Legal System Abuse at Industry Forum

4 Things You Should Do If Your Carrier Has Been Hacked

Highest Value Auto Customers Most Likely to Shop

4 Powerful Ways an Upgraded AMS Can Keep Your Agency Competitive

  • Strategies

5 Tips to Help Breweries and Wineries Balance Sustainability Goals With Risk Mitigation

  • Markets