Insurers begin adapting to new N.Y. cybersecurity regulations

New York Governor Andrew Cuomo’s cybersecurity regulations on the financial services industry, put into effect Wednesday, are not the most onerous ever placed on insurers. However, carriers in the state and elsewhere are moving along with compliance in case these regulations become standard elsewhere.

“The law carries a lot of weight because of the companies based here,” says Sam Friedman, insurance research leader at Deloitte Center for Financial Services. “New York is seen as a bellwether for the country. The law creates a nice template for people to look at.”

DI-CuomoCyberSecurity_03022017
Andrew Cuomo, governor of New York, speaks during a press conference in the Theater at Madison Square Garden in New York, U.S., on Wednesday, Jan. 6, 2015. Governor Cuomo proposed Thruway toll freeze, stating that motorists on the New York State Thruway, the longest toll road in the U.S., won’t pay higher fees until 2020 and 1 million frequent drivers will get a tax credit. Photographer: Peter Foley/Bloomberg *** Local Caption *** Andrew Cuomo
Peter Foley/Bloomberg

Cuomo’s regulations, first announced on Sept. 13, don't set any standards on how to protect data, adds Friedman. Instead, they offer a set of guidelines insurers should follow—including the conduction of periodic risk assessments, limiting user access privileges, and notifying the NYS Department of Financial Services within 72 hours of breaches.

“Each regulation gives insurers wiggle room,” said Friedman. “They are pretty easy to clear as insurers have already taken a lot of these steps. It, however, does put companies on notice that they’re being watched.”

The rules come at a critical time for the insurance industry. Hackers are becoming increasingly sophisticated with approaches on how to compromise businesses; from data breaches targeting PII data to ransomware and point of service attacks. The expansion of the Internet of Things throughout the economy also creates added entry points for invaders to leverage.

The bright spot for insurers is senior executives have developed a real hunger for staying ahead of breaches, resulting in favorable budgets for chief information security officers to work with, Friedman says. Yet insurers’ craving for a better customer experience through innovation creates an interesting conundrum for CISOs.

“There’s a lot of transformation yet insurers still rely on legacy systems that require patching up from time to time,” said Friedman. “CISOs have to find a balance when making sure everything is secure. They can’t make it so easy that hackers can get in, but can’t require three passwords to use their system.”

For reprint and licensing requests for this article, click here.
Cyber security Cyber attacks Data security Andrew Cuomo Deloitte
MORE FROM DIGITAL INSURANCE