You may have recently received an email or other notification from the New York Department of Financial Services (NY DFS) regarding its new cybersecurity requirements that became effective just over a year ago (on March 1, 2017). If so, some guidance as to how to respond might be helpful.
By way of background, the NY DFS cybersecurity regulations require financial institutions and insurance-related companies (including brokers and agents) licensed in New York to adopt written cybersecurity programs that meet certain specific criteria described in the regulations. All licensees were required to electronically file a Certificate of Compliance prior to February 15, 2018, confirming that the required policies and programs have been prepared and implemented, including but not limited to a comprehensive written cybersecurity policy, data access restrictions, and security requirements for your suppliers, vendors, or third party service providers.
Depending on the size of your organization’s New York operations, you may also be required to draft an incident response plan and designate a Chief Information Security Officer (CISO) to monitor your organization’s information security and report to key stakeholders. Additional DFS cybersecurity requirements triggered on March 1 (including a requirement to perform a risk assessment), with more regulations coming into effect in September 2018. While smaller organizations could qualify for certain limited exemptions, those licensees must electronically file a Notice of Exemption through the NY DFS portal. While the filing deadlines have passed, it is important to adopt these policies and certify compliance as soon as possible to avoid potential regulatory sanctions.
These new regulations put a substantial burden on insurance brokers and agents, who may not have the internal resources or expertise to perform a cybersecurity assessment or prepare the requisite policies. If you are licensed in New York and have not yet filed the requisite Notice of Exemption and/or Certificate of Compliance, or should you need help drafting the required policies or other technical compliance advice, the cybersecurity lawyers at Michelman & Robinson, LLP are available to assist. Please contact Scott Lyon at slyon@mrllp.com or (949) 783-4622.
Scott Lyon
Michelman & Robinson, LLP
slyon@mrllp.com
(949) 783-4622