New York Governor Andrew Cuomo’s cybersecurity regulations on the financial services industry, put into effect Wednesday, are not the most onerous ever placed on insurers. However, carriers in the state and elsewhere are moving along with compliance in case these regulations become standard elsewhere.

“The law carries a lot of weight because of the companies based here,” says Sam Friedman, insurance research leader at Deloitte Center for Financial Services. “New York is seen as a bellwether for the country. The law creates a nice template for people to look at.”

Gov. Andrew Cuomo's regulations went into effect March 1.
Gov. Andrew Cuomo's regulations went into effect March 1. Bloomberg

Cuomo’s regulations, first announced on Sept. 13, don't set any standards on how to protect data, adds Friedman. Instead, they offer a set of guidelines insurers should follow—including the conduction of periodic risk assessments, limiting user access privileges, and notifying the NYS Department of Financial Services within 72 hours of breaches.

“Each regulation gives insurers wiggle room,” said Friedman. “They are pretty easy to clear as insurers have already taken a lot of these steps. It, however, does put companies on notice that they’re being watched.”

The rules come at a critical time for the insurance industry. Hackers are becoming increasingly sophisticated with approaches on how to compromise businesses; from data breaches targeting PII data to ransomware and point of service attacks. The expansion of the Internet of Things throughout the economy also creates added entry points for invaders to leverage.

The bright spot for insurers is senior executives have developed a real hunger for staying ahead of breaches, resulting in favorable budgets for chief information security officers to work with, Friedman says. Yet insurers’ craving for a better customer experience through innovation creates an interesting conundrum for CISOs.

“There’s a lot of transformation yet insurers still rely on legacy systems that require patching up from time to time,” said Friedman. “CISOs have to find a balance when making sure everything is secure. They can’t make it so easy that hackers can get in, but can’t require three passwords to use their system.”

Register or login for access to this item and much more

All Digital Insurance content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access