New cybersecurity requirements challenge New York state’s insurers
Carriers that write policies in New York state are facing a key deadline to comply with the state’s strict new cybersecurity requirements.
The regulations, known as 23 NYCRR 500, were originally issued by New York’s Department of Financial Services in March of 2017, but to give institutions time to comply with the new rules, they are being phased in over a two-year period. The next in a series of deadlines is on September 3, when a large and near final set of requirements is due to take effect.
Unlike the initial rules, which went into force during 2017 and the first half of 2018, “The upcoming requirements will be more challenging for insurers and other financial services firms to implement,” warns Nicole Clement, a senior manager in Accenture’s financial services security practice.
The first wave of regulations called for establishing a cybersecurity program, appointing a chief information security officer and putting other governance and organizational procedures in place.
The upcoming requirements are much more technical in nature, says Clement, and will require insurers to deploy new systems and processes. Adding to the difficulty, the new regulations cover all data that contain “non-public information.” That is a considerably broader category than “personally identifiable information,” which up until now has been the industry’s norm for determining what data needs to be secured. According to Clement, the new, broader definition encompasses all of the essential data held by an insurer, including policy guidelines, underwriting equations and business strategies.
To meet the September 3 deadline, insurers must encrypt all of their non-public information, including both data in transit and data at rest. This presents another significant challenge, Clement says, since “Any time you start encrypting data, you have to take into account the effect it can have on your business processes.” Before they can implement a full encryption plan, she adds, “institutions have to take a step back and understand the type of data that they hold, where it sits and whether it’s even really needed.”
Under the new rules, all regulated institutions will have to certify that they are compliant with the Department of Finance’s encryption requirements on an annual basis.
Yet another set of regulations pertains to establishing and maintaining two types of audit trails. The first requires that insurers monitor and backup all of the financial transactions that take place on their network.
“These audit trails are aimed at preventing an attack that undermines either the integrity or the availability of the institution’s data,” Clement explains, and the transaction data must be backed up, retained and remain fully recoverable for a minimum of five years.
The second type of audit trail is for the information needed to perform data forensics in the event of a security breach. This includes records of which users have accessed and made use of the different applications running on the network, and they need to be retained for at least three years.
All told, Clements says New York’s cybersecurity requirements for financial services firms are the most comprehensive and rigorous to date. The DFS hasn’t specified any penalties for non-compliance, but it sends inspectors onsite to examine company records and procedures, and the Accenture consultant says that any insurers failing to comply with 23 NYCRR 500 should expect to be subject to a variety of enforcement actions.