On September 28, 2016, the New York State Department of Financial Services (DFS) released for comment a proposed new regulation entitled Cybersecurity Requirements for Financial Services Companies (23 N.Y.C.R.R. Part 500). Various industry groups have offered comments and expressed concerns about some of its requirements. These concerns include the costs of compliance and the scope of entities regulated by the proposed rule. Among the organizations offering comments are the Excess Lines Association of New York (ELANY) and the American Association of Managing General Agents (AAMGA).
Section 500.01(c) of the proposed regulation outlines the entities subject to the regulation’s requirements. These include banks, insurance companies and other “Covered Entities.” For purposes of the insurance industry, a covered entity is any person operating or authorized to operate “under a license, registration, charter, certificate, permit, accreditation or similar authorization under the … insurance law.”
The proposed regulation would require every entity covered by the rule to:
establish a cybersecurity program; adopt a written cybersecurity policy; designate a Chief Information Security Officer responsible for implementing, overseeing and enforcing its new program and policy; and have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties, along with a variety of other requirements to protect the confidentiality, integrity and availability of information systems.
ELANY’s most pressing concern deals with the manner in which the proposed regulation would affect insurance producers (of all types) versus licensed insurers. For example, every New York insurance producer does business with multiple insurance companies. However, both the producer and the licensed company are considered “Covered Entities” and have identical responsibilities under the proposed regulation. Small and medium-sized insurance producers usually transact business with multiple insurance companies. This proposed rule would require that producers adopt the cybersecurity requirements from each of those insurers. These requirements may differ company to company and are separate and apart from the producer’s own obligations as a Covered Entity.
Under the proposed rule, a Covered Entity has 180 days from the effective date to comply with the regulation. ELANY maintains that once it is effective, insurance producers will find it difficult to comply with the 180 day deadline. This is especially true, in view of likely last minute requirements by multiple insurers that may differ in certain instances.
Further, the §500.18 “exemption standard” in the definition of “Covered Entity” is narrowly tailored. The standard only captures entities whose volume of business is likely too small to justify the cost and scope of compliance with the regulation. As ELANY noted in its comment letter:
Compliance is expensive to begin with and nearly impossible to achieve when one authority chooses to add another layer of regulation without considering the need for coordination and convergence with an ultimate goal of uniformity or near uniformity in compliance standards.
One outstanding question is whether excess and surplus lines insurers fall under the definition of “Covered Entity” as these are not traditionally regulated by NYDFS. As such, they do not operate under “a license, registration, charter, certificate, permit, accreditation or similar authorization.” That said, these nonadmitted insurers must meet specific financial and reporting requirements as outlined by law. They are listed with and, to an extent, regulated by ELANY which is itself a quasi-governmental organization established by law. Alien nonadmitted insurers, are regulated by the International Insurers Department of the NAIC under provisions included in the Nonadmitted and Reinsurance Reform Act. AAMGA noted this ambiguity in the proposed regulation together with a number of other objectionable provisions affecting wholesale brokers (many of which are also members of ELANY) as well as managing general agents.
It should also be noted that although most excess and surplus lines insurers are licensed in their home state, they are subject to different laws and regulations in at least that one state. Under the definition of “Covered Entity”, it is even more questionable whether the proposed regulation applies to so-called “domestic surplus lines insurers” (which are not licensed in any state, including their state of domicile).
Finally, ELANY recommends that since the requirement to encrypt information (§500.15) at this time will be extremely costly and seriously challenging even with the best technological support, consideration should be given to deleting, or significantly, delaying the encryption requirements.
Most of the comments on the proposed regulation will not become public until after the comment period ends and DFS staff has an opportunity to digest their significance. It is likely a public hearing will be called for such a consequential change in rules for the financial services industry. The fact that there is currently no NAIC model regulation on the subject and the likelihood that different state regulators may promulgate different regulations will make it most difficult for broadly licensed companies to comply with all of the state regulations uniformly and in a timely manner.