New York’s Cyber Regulations Could Affect All Agencies

Insurance companies that do business in New York will have to comply with New York’s third-party service provider regulations as of March 1, which means that even non-New York-licensed agencies could be affected by these requirements.

The regulation requires insurance companies that do business in New York to develop and implement written policies and procedures to ensure the security of their information systems and nonpublic information that are accessible to or held by third-party service providers, which includes agencies. These policies and procedures are to be tailored based on risk assessments of the third-party service providers.

Although the regulation does not require agencies that are not licensed in New York to comply, companies complying with the regulation will need to assess the data security policies and procedures of all agencies and other third-party service providers. However, many of the core elements of the regulation are already commonplace in the insurance world.

For example, the Gramm-Leach-Bliley Act requires agencies to protect the security of sensitive customer information and adopt information security programs, and many companies already include meaningful data security elements in their agency appointment contracts. Compliance by companies, therefore, should not require the adoption of disruptive business practices or significant changes in the agency-company relationship.

Big “I” President & CEO Bob Rusbuldt is urging company executives to adopt reasonable, narrowly tailored and non-disruptive approaches to comply with the regulation, such as asking agencies to confirm that they comply with applicable state and federal data security standards, have implemented an information security plan and will notify the company when they are breached. The approach should recognize that agencies are already subject to data security mandates and should be tailored to the unique relationship that exists between companies and agencies, which may be unlike relationships with other third-party service providers.

The Big “I” will continue to work with companies to ensure that their compliance efforts are reasonable and narrowly tailored, and that they do not cause unnecessary disruption to agencies.

Additional details and information about New York’s requirements regarding third-party service providers, their effects on non-New York agencies, and Big “I” efforts to advocate on agencies’ behalf, are available in this memo the national association sent to Big “I” state associations.

Scott Kneeland is Big “I” general counsel.