Insurance producers who hold New York licenses are no doubt familiar with and have been frustrated by that state’s cumbersome cybersecurity regulation. The implementation of this rule continues to cause administrative headaches for agents and brokers. The latest twist in this saga is that New York regulators are requiring licensees to resubmit certain filings that were previously made.
New York’s cybersecurity regulation imposes obligations on every individual and business entity that holds a license in the Empire State, including nonresidents. These obligations include certain reporting requirements, and licensees must submit certain filings in order to claim an exemption from some or all of the rule’s mandates.
New York regulators recently unveiled a new Cybersecurity Portal to assist with the requisite filings, and state officials are now requiring all licensees to resubmit previously filed exemption notices. These filings and the annual certification of compliance must be completed by next Friday, Feb. 15.
For Individual Agents
New York regulators require individual agents to either develop their own cybersecurity programs or be covered by a program implemented and maintained by their affiliated agencies. Since the development of a cybersecurity program is an enterprise-level endeavor, individual agents will almost certainly not be complying with the regulation on their own. They will instead be relying on their agencies to institute an appropriate program that satisfies the obligations.
Nevertheless, New York officials require all individual licensees who do not develop their own personal cybersecurity programs to file a notice of exemption with the state. In short, all New York-licensed individual insurance agents who are covered by cybersecurity program of their agencies will need to satisfy this reporting requirement.
Most of the requirements in the regulation apply to every resident and nonresident licensee, but a series of heightened requirements also apply to a smaller universe of larger entities. An entity must comply with the additional mandates unless it has 1) fewer than 10 employees, including independent contractors; 2) less than $5 million in gross annual revenue; or 3) less than $10 million in year-end total assets.
Most independent agencies will satisfy one of these three criteria, and any New York-licensed entity that qualifies for the limited exemption and does not want to be subject to the heightened requirements must file a notice with the state.
In addition to the exemption filings that must be resubmitted through the new portal, New York-licensed business entities must also file their annual certifications of compliance with the regulation. Again, both the exemption and annual certification filings must be made by Feb. 15.
Agents and brokers seeking additional information concerning these filing and reporting requirements or other aspects of the New York cybersecurity regulation are encouraged to contact Wes Bissett, Big “I” government affairs senior counsel.
Wes Bissett is Big “I” government affairs senior counsel.