If adopted as proposed, a larger universe of small and midsized insurance agencies and other financial firms would be exempt from many aspects of the regulation.
Nearly six years ago, the New York Department of Financial Services (DFS) issued a sweeping regulation on insurance, banking, and financial services entities in that state. Yesterday, the DFS released a series of proposed amendments to that landmark rule that could take effect in 2023.
Any insurance agency that holds a New York license is no doubt familiar with the cybersecurity rule first issued in February 2017. That regulation requires all insurance agencies, including both residents and non-residents, insurers, banks, and other financial services firms that operate in the Empire State to establish comprehensive data security programs and comply with specified cyber-specific mandates.
The proposed updates unveiled yesterday are designed, in the words of Adrienne Harris, superintendent of the New York DFS, to ensure that the New York regulation “keeps pace with new threats and technology purpose-built to steal data or inflict harm."
Many of the requirements in the existing regulation apply to every licensee in New York, but there are a series of heightened requirements that also apply to a smaller universe of larger entities.
These additional and more onerous requirements apply unless an entity has either: fewer than 10 employees, including independent contractors; less than $5 million in gross annual revenue from business operations in New York over each of the last three fiscal years; or less than $10 million in year-end total assets.
However, the proposed revisions to the New York DFS regulation would expand the scope of the limited exemption by raising the employee and independent contractor threshold to fewer than 20 individuals and increasing the year-end total asset threshold to $15 million. If adopted as proposed, a larger universe of small and midsized insurance agencies and other financial firms would be exempt from many aspects of the regulation.
The Big “I" continues to review and assess yesterday's proposal, but some of the other notable proposed changes are outlined below:
- Since its initial promulgation, the New York DFS cybersecurity regulation has required all licensees to adopt a written cybersecurity policy or policies. The proposed amendment would expand the list of issues and items that must be considered as part of that process and require that the policies address data retention, remote access controls, systems monitoring, security awareness and training, application security, incident notification, and vulnerability management. The proposed revisions would also make clear that these policies must be reviewed and approved annually.
- All licensees would also be required to address and restrict access privileges to information systems and protected information. Covered entities would be required to limit access to those who need it to perform their jobs, review access privileges periodically, and terminate access privileges when they are no longer necessary or following staff departures. Licensees who utilize passwords as a method of authentication would also be required to implement written password policies that meet industry standards.
- The revisions would also extend existing authentication requirements to all licensees, including those who qualify for the limited exemption, and expand the scope of these mandates. For example, multifactor authentication or equivalent controls would be required for those accessing information systems and certain third-party applications remotely.
- All licensees would be required to implement written policies and procedures regarding asset inventory management and maintenance.
- The amendment would establish a series of additional new requirements for larger entities that do not qualify for the limited exemption. Non-exempt licensees would be required to implement monitoring and blocking controls that protect against malicious code and provide at least annual awareness training that includes social engineering exercises. These businesses are already required to develop incident response plans but the proposed revisions would add an obligation to develop business continuity and disaster recovery plans and a duty to test all of these plans at least annually.
- The proposal would create complete exemptions for individual insurance agents and brokers who meet certain conditions.
- The revisions would create a new, third tier of licensees and apply an even more robust series of requirements to them. These businesses—referred to as “Class A companies"— are entities regulated by the New York DFS that have at least $20 million in gross annual revenue from business operations in New York in each of the last two years and have either more than 2,000 employees or $1 billion in gross annual revenue.
The proposed revisions unveiled yesterday have been under development for months, and Big I New York has already had significant interaction with the DFS on this issue and submitted informal comments in response to earlier drafts. Those advocacy efforts are ongoing and will continue.
The comment period on the amended rule ends on Jan. 9, 2023. Final action on the proposal is expected during the first half of the new year with compliance with any new provisions likely to be required in 2023 and 2024.
Wes Bissett is Big “I" government affairs senior counsel.