Download presentation
PublishRaymond Harrington Modified over 7 years ago
1
NY DFS Cyber Regulation and the Impact on PA Mutual Insurers
June 8, 2017 Andrew R. Gifford
2
Introduction The NY DFS Cyber Regulation went into effect March 1, 2017 The Regulation has unusually broad coverage: Applies to Non-Public Information (NPI) (beyond notice triggering) The Regulation applies to all NY DFS licensed, registered, chartered companies (§ (c)) The Regulation takes a risk-based approach “Periodic” risk assessments are the foundation for required cybersecurity program NY Cyber Regulation and the Impact on PA Mutual Insurers | Andrew Gifford | June 8, 2017
4
What is a “Covered Entity” under the Regulation?
Any “Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” of NY §500.01(c). A “Person” is defined as “any individual or any non-governmental entity.” Casts a broad net that can include: insurers, reinsurers, brokers, insurance agencies, claims adjusters, third-party administrators and other NY licensed insurance entities. Limited exemptions for smaller entities, individual employees or representatives of a Covered Entity, accredited or certified reinsurers, non-NY RRGs and excess/surplus lines insurers. Note that these exemptions are limited; a risk assessment and cyber program may still be required. NY Cyber Regulation and the Impact on PA Mutual Insurers | Andrew Gifford | June 8, 2017
5
Brokers Agents Insureds PA Mutual Intermediaries Banks Reinsurers Vendors
6
Companies Supervised by the NY DFS
Banks &Trust Companies Foreign Budget Planners Charitable Foundations Check Cashers Credit Unions Domestic Representative Investment Foreign Agencies Foreign Bank Branches Foreign Representative Offices Health Insurers, Accident and Related Entities Holding Companies Investment Companies Licensed Lenders Life Insurance Companies Money Transmitters Mortgage Bankers Mortgage Brokers Mortgage Loan Originators Mortgage Loan Servicers New York State Regulated Corporations Premium Finance Agencies Private Bankers Property and Casualty Insurance Companies Safe Deposit Companies Sales Finance Companies Savings Banks and Savings and Loan Associations (S&Ls) Service Contract Providers NY Cyber Regulation and the Impact on PA Mutual Insurers | Andrew Gifford | June 8, 2017
7
Does the NY DFS Regulation Apply to You?
Are you a Covered Entity under the Regulation? Does an exemption apply? Do you have an affiliate that is a Covered Entity? Do you work with agents who are Covered Entities? Are your clients or vendors Covered Entities? NY Cyber Regulation and the Impact on PA Mutual Insurers | Andrew Gifford | June 8, 2017
8
NY DFS Cyber Regulation – Categories of Activity
Identification System monitoring, penetration testing, risk assessments Information Governance Designate a CISO, policies and procedures, awareness and training Risk Mitigation Log maintenance, access controls, multi-factor authentication, incident response planning Reporting Cyber event notification, annual certification, notice of exemption NY Cyber Regulation and the Impact on PA Mutual Insurers | Andrew Gifford | June 8, 2017
9
Definition of Nonpublic Information (§500.01(g))
The definition of “nonpublic information” covered by the Regulation is extremely broad. With respect to PII – it’s information about an individual that can be used to identify such individual such as SS#, biometrics, drivers license # or financial account #s. The Definition Also Includes Any business information whose unauthorized disclosure would cause “material adverse impact.” Any information, other than gender or age, derived or obtained from a healthcare provider or an individual that relates to any health conditions or treatments. NY Cyber Regulation and the Impact on PA Mutual Insurers | Andrew Gifford | June 8, 2017
10
Cybersecurity Program (§500.02)
Comprehensive written cybersecurity program is mandated, but it is based on a “periodic” risk assessment rather than prescribed “one size fits all” requirements. Cybersecurity program must: Identify and assess internal and external cybersecurity risks that may threaten the security or integrity of NPI stored on Covered Entity’s systems Use defensive infrastructure and implementation of policies and procedures to protect information systems and NPI stored on those systems Detect Cybersecurity events; respond to events and mitigate impact Recover from events and restore systems to normal operations Satisfy applicable regulatory reporting obligations A company can adopt a group/affiliate cybersecurity program if it covers that company’s systems and nonpublic information. NY Cyber Regulation and the Impact on PA Mutual Insurers | Andrew Gifford | June 8, 2017
11
Risk Assessment (§500.09) Each Covered Entity shall conduct a periodic Risk Assessment of systems “sufficient to inform the design of the cybersecurity program.” Risk Assessment shall be carried out in accordance with written policies and procedures and shall be documented: Criteria for the evaluation and categorization of identified risks or threats Criteria for the assessment of the confidentiality, integrity, security and availability of the systems and NPI, including adequacy of existing controls Requirements as to how identified risks will be mitigated or accepted and how program will address these risks Risk assessment must be updated as “reasonably necessary” to address changes. NY Cyber Regulation and the Impact on PA Mutual Insurers | Andrew Gifford | June 8, 2017
12
Cybersecurity Policy/Policies (§500.03)
Covered Entity shall implement and maintain a written policy or policies, approved by a Senior Officer or the Entity’s Board, setting forth the Entity’s policies and procedures for protection of systems and NPI stored on systems. The policy or policies will be based on the Risk Assessment and address the 14 specific topics identified in § (a) – (n). NY Cyber Regulation and the Impact on PA Mutual Insurers | Andrew Gifford | June 8, 2017
13
Where are your biggest risks?
Risk Mitigation Technology Policies Awareness and Training Where are your biggest risks? NY Cyber Regulation and the Impact on PA Mutual Insurers | Andrew Gifford | June 8, 2017
14
Third-Party Vendor Considerations (§500.11)
Entities covered by the regulation “shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers.” Section Policies and procedures should be based on a risk assessment of vendors and cover risk assessments, minimum security practices, vendor due diligence and periodic vendor assessments. The policies and procedures must include guidelines for vendor due diligence and contractual protections, including (i) the vendor’s policies for meeting multi-factor authentication and encryption requirements under the regulation, (ii) notice the vendor will provide if a cyber event impacts information systems or nonpublic information held by the vendor, and (iii) representations and warranties addressing the vendor’s policies and procedures that relate to the security of the covered entity’s information systems or nonpublic information. Representatives or designees of covered entities can follow the vendor management policies of the covered entity and do not need to develop their own program. NY Cyber Regulation and the Impact on PA Mutual Insurers | Andrew Gifford | June 8, 2017
15
Reporting Requirements
Reporting to Board/Senior Management (§500.04) Incident Response Plan (§500.16) Notices to NY Superintendent (including notices of cyber events) (§500.17) Certification of Compliance (§ ; Appendix A) NY Cyber Regulation and the Impact on PA Mutual Insurers | Andrew Gifford | June 8, 2017
16
Reporting Requirements – Certificate of Compliance
NY Cyber Regulation and the Impact on PA Mutual Insurers | Andrew Gifford | June 8, 2017
17
Extended Transition Periods
Regulation went into effect on March 1, 2017, with a general six-month transition period; compliance at the end of the six-month transition period must be certified on Feb 15, 2018. Long transition periods permitted: 12 months for (i) penetration testing and vulnerability assessment requirements; (ii) risk assessment requirements; (iii) cyber awareness training; (iv) multi-factor authentication requirements; and (v) CISO board reporting 18 months for requirements related to (i) audit trails; (ii) data retention; (iii) data encryption; (iv) user activity monitoring; and (v) application development security 2 years for implementing third-party vendor requirements NY Cyber Regulation and the Impact on PA Mutual Insurers | Andrew Gifford | June 8, 2017
18
Summary of NY DFS Reg Compliance Requirements
Cybersecurity Program Cybersecurity Policy Chief Information Security Officer (CISO) and annual report1 to the Board of Directors Penetration Testing and Vulnerability Assessments Audit Trail Access Privileges Application Security Risk Assessment Cybersecurity Personnel and Intelligence Third-Party Service Provider Security Policy Multi-Factor Authentication Limitations on Data Retention Training1 and Monitoring Encryption of Nonpublic Information Incident Response Plan Notices to Superintendent Certification of Compliance4 All require compliance by September 1, 2017, except where noted. 1March 1, 2018 2September 1, 2018 3March 1, 2019 4February 15, 2018 NY Cyber Regulation and the Impact on PA Mutual Insurers | Andrew Gifford | June 8, 2017
19
What is happening outside of New York?
NAIC’s Cybersecurity Task Force started in 2015 NAIC has been engaged in the development of a Model Law Will the Model Law track NY DFS, conflict with it or complement it? What about other regulators? FTC? SEC? State Attorneys General? Have you received any Cyber questionnaires yet from agents, brokers, reinsurers, or other partners in the business yet? NY Cyber Regulation and the Impact on PA Mutual Insurers | Andrew Gifford | June 8, 2017
20
Andrew R. Gifford Andrew.Gifford@genre.com 203 328 6171
Thank you Andrew R. Gifford
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.