There has been a lot of commentary on New York’s new regulation entitled Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) (the Regulation) which went into effect on March 1, 2017. On March 16, 2017, The Excess Line Association of New York (ELANY) released Bulletin 2017-12 which contains some practical guidance for insurance producers that will face some “unique situations” not addressed in the other commentary.
Specifically, the bulletin refers to insurance producers that “may not meet the technical definition of a ‘Third Party Service Provider.’” However, if that producer exchanges “Nonpublic Information” with a New York licensed insurer, “it is probable” that those insurers “will treat them as ‘Third Party Service Providers.’”
ELANY’s first comment with respect to these insurance producers that are treated as “Third Party Service Providers” is:
If treated as “Third Party Service Providers,” all insurance producers doing business with a number of “covered entity” insurance companies will be required to implement separate and various cybersecurity requirements adopted by each insurer subject to the regulation. Insurance producers might find it difficult to simultaneously coordinate and meet the requirements of the “covered entity” insurance company’s mandates with the insurance producers own cybersecurity plan within the timeframes required by the regulation.
ELANY’s remaining comments are located here.