By Drew M Smith
In the new year, New York is set to establish new regulations in relation to cyber security for companies that are regulated by the New York Department of Financial Services (DFS). With incident of breaches increasing at an alarming rate recently, the state of New York is taking measures to ensure the companies they regulate have adequate policies and procedures. Upon the passing of the new regulations, all companies above a certain size as dictated by the Departments of Banking, Insurance or Financial Services must comply. This would apply to insurance companies, agencies, banks, brokerages and related regulated entities.
NYS Proposal number 500 is New York’s proposal that outlines new cyber security requirements that would go into effect upon passage of the regulation. The regulations apply to companies that have more than 10 employees. Application also extends to the contractors of the regulated entities. In addition, companies with revenues that exceed $5,000,000 over the previous three years or those with over $10,000,000 in end of year assets over all of their affiliates. These numbers can be tabulated using various legal accounting methods.
Along with these new regulations comes a set of standard guidelines. For one, all companies should have one officer designated as a Chief Information Security Officer. These CIO’s are responsible for outlining a plan and can be an officer in the company or a third party vendor that is qualified to handle such matters. They are also responsible for assessing and testing the cyber security plan. This includes penetration testing where someone deliberately attacks your server to test the effectiveness of the plan in place. This plan should disclose your protocols in the event a breach happens and should be ready within six months.
A good written cyber security plan needs to have five things:
1. It needs to be active as soon as possible, the earliest of which is 180 days after if and when these regulations goes into effect.
2. In the unlikely event of a breach, a proper response plan should be in place to determine the steps needed to minimize the breach.
3. A way to create dual factor authentication. DFA’s are authorizations in addition to a password such as a code sent out to a trusted source that confirms you were the one that entered the password.
4. It needs to develop and implement a penetration testing plan. This testing is to be done as often as needed, such as weekly, monthly or quarterly.
5. All personnel, including contractors, new and temporary employees should be trained in spotting a potential issue if and when a breach occurs. This training should be done regularly.
All qualified personnel, including third party vendors, should know both your breach response and your cyber security plan. A cyber policy is a good starting point in getting these parties involved.
For a more detailed information you can review a summary of proposed regulations from DFS as of 12/31/16.
About Axis Insurance Services, LLC
Axis Insurance Services, LLC (AIS) is a licensed professional liability insurance broker located in Franklin Lakes, NJ with agents licensed nationwide. They offer access to high-quality insurance products in the areas of Errors and Omissions insurance (E&O), Directors and Officers liability insurance (D&O), Crime, Fiduciary, and Privacy/Network security coverage for today’s professional service firms. AIS works with all company types including commercial real estate firms, real estate agents and brokers, property managers, insurance agents, medical groups, practice managers, third party administrators, lawyers, accountants, architects, engineers and many others.
Axis Insurance Services, LLC is not affiliated with Axis Capital, Axis Insurance Company, its subsidiaries or affiliates in any way.