The vaults of the world’s financial capital are getting stronger locks. On March 1, 2017, new “first-in-the-nation” cybersecurity regulations of the New York Department of Financial Services (DFS) went into effect to protect consumers and the financial system from cyber attacks. While the regulations apply to covered finance and insurance companies, their influence is likely to be felt beyond the companies targeted initially. For this reason, it’s important that all companies with cybersecurity risks understand how the new DFS regulations work, and the insurance coverage issues they may raise.
New York’s new cybersecurity regulations apply to banks, insurers and other financial services institutions licensed in New York, with limited exceptions for smaller companies, captive insurance companies and others. The regulations’ requirements generally fall into a few categories:
- Cybersecurity Programs: Covered entities must establish and maintain cybersecurity programs designed to (i) identify cyber risks, (ii) establish and test defenses to protect non-public information from cyber risks, and (iii) detect, respond to and recover from cybersecurity events. The technical requirements are detailed and include both annual penetration testing and bi-annual vulnerability testing.
- Third-Party Vendors: Covered entities are responsible for their third-party vendors’ protection of non-public information. Covered entities must identify risks from third-party access, impose minimum cybersecurity practices for vendors, and perform due diligence in evaluating the vendors.
- Management Responsibility: The regulations make clear that responsibility for cybersecurity starts at the top, saying in the introduction: “Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program.” Covered entities are required to designate a Chief Information Security Officer (CISO), who must report to the board annually. The board or a senior officer must annually attest that the company is in compliance with the regulations.
- Reporting Requirements: Covered entities must disclose within 72 hours to the Secretary of the DFS any cyber security event that either (i) must be disclosed to another government or self-regulating agency, or (ii) has a “reasonable likelihood of materially harming any material part” of the company’s normal operations. Cybersecurity events subject to disclosure include unsuccessful cyber invasion attempts.
While the regulations don’t directly relate to cyber or liability insurance, there are several ways they could have an impact on such insurance:
- The regulations could open covered entities up to potential liability from regulatory actions or consumer litigation in the event of a compliance failure or cybersecurity event. Such companies should make sure that their cyber and/or other liability policies provide coverage for such claims.
- The responsibilities imposed on management could also lead to claims against directors and officers of covered entities, for example for alleged misrepresentations about the strength of the company’s cyber protections. Covered entities should make sure that their D&O policies don’t exclude such cyber risks—either specifically, implicitly, or as part of broad cyber exclusion.
- The regulations’ third-party vendor requirements could also expose covered entities’ vendors to potential liability and may create issues as to whose policy should respond to a given claim.
Even for non-covered entities, the New York regulations may serve as a standard for protecting third-party information. Their requirements or similar requirements may come to be applied more broadly, whether by contract or regulation. Companies that are not subject to the regulations should still take care to understand their requirements and insurance impacts for when they need to secure their own safes.