After months of development, the New York Department of Financial Services (DFS) recently finalized a data security regulation that will impose new requirements on all banking and insurance entities in the state. The mandates will take effect gradually over the next two years, with many notable elements requiring compliance within the next six months. 

Insurance agencies are already required to implement comprehensive written data security programs, but the new rules build upon and bolster existing standards. “DFS is ensuring that New York consumers can trust that their financial institutions have protocols in place to protect the security and privacy of their sensitive personal information,” said Maria Vullo, DFS superintendent, in the announcement. 

The regulation will impact thousands of insurance agencies both within New York and beyond, as it will require all resident and nonresident insurance agencies authorized to operate in New York to take the following measures:

• Develop and maintain a cybersecurity program which is designed to protect the confidentiality and integrity of sensitive information, and complies with the specific standards articulated in the regulation.
• Conduct periodic risk assessments of information systems to evaluate cybersecurity threats, assess existing controls and identify how to address data security risks.
• Develop and implement a written cybersecurity policy that sets forth procedures for protecting sensitive information.
• Limit user access privileges to sensitive information.
• Adopt procedures for securely disposing of sensitive information that is no longer needed.
• Promptly report attempted or successful data breaches that have a material effect on business operations to the New York DFS.
• Implement policies concerning the engagement of third-party service providers and demand that such vendors adhere to certain data security standards and contractual requirements.
• Submit an annual written statement that certifies compliance to the New York DFS. 

Insurance agencies must satisfy most of the requirements outlined above within 180 days of the regulation’s March 1 effective date. A series of additional requirements will apply to entities that have 10 or more employees, at least $5 million in gross annual revenue from New York-related business and at least $10 million in year-end assets. 

The Big “I” and its New York affiliate, the Independent Insurance Agents & Brokers of New York (IIABNY), will provide additional information concerning compliance in the weeks to come, but insurance agents located or holding nonresident licenses in New York should begin to familiarize themselves with the new requirements immediately. IIABNY will conduct a webinar on the topic on Thursday, March 23.

Wes Bissett is Big “I” outside senior counsel of government affairs.