CAPTIVE INSURANCE COMPANY REPORTS

Transcription

1 CAPTIVE INSURANCE COMPANY REPORTS New York Adopts Cyber-Security Requirements P. Bruce Wright, Saren Goldner, Daren Moreira Eversheds Sutherland LLP April 2017 Editor s Note: This article by P. Bruce Wright, Saren Goldner, and Daren Moreira of Eversheds Sutherland (US) LLP is the latest on the tough (to comply with) new rules on cyber-security for all New York financial services companies. If you have been awaiting it, you re in luck. If you haven t been paying attention, you had best read on. On February 16, 2017, the New York Department of Financial Services (DFS) released a final rule that establishes cyber-security requirements for financial services companies (including insurance companies) regulated by DFS (the Final Rule ). Absent an applicable exemption, the Final Rule would apply to captive insurance companies, risk retention groups (RRGs), and captive managers that are licensed in New York (or that should be so licensed). However, in response to a number of public comments, DFS revised earlier drafts of the Final Rule to provide several exemptions that may be available to captives, RRGs, and captive managers that are licensed in New York (or that should be so licensed). Whether any of these exemptions is applicable is a question that each entity (and its affiliated group) must consider carefully. The Final Rule applies to covered entities (broadly defined as any person or entity operating under or required to operate under a license or similar authorization under the New York Banking Law, Insurance Law, or Financial Services Law). The Final Rule s most significant requirements include the following mandates that all covered entities must adhere to. Maintain a cyber-security program that meets detailed requirements (including requirements for regular penetration testing and vulnerability assessments, audit trails, access privileges, cybersecurity training, multifactor authentication, and encryption of nonpublic information (as defined below)). Implement and maintain a cyber-security policy setting forth policies and procedures 1

2 for the protection of the covered entity s information systems 1 and nonpublic information stored on those systems. Designate a qualified individual to oversee and implement the cyber-security program and the cyber-security policy (the chief information security officer or CISO ), and utilize qualified cybersecurity personnel (although these requirements may be outsourced to an affiliate (defined broadly to include any person that controls, is controlled by, or is under common control with the captive) or a third-party service provider, 2 subject to certain restrictions). Conduct annual reporting on the covered entity s cyber-security program and material cyber-risks to the board of directors (or a designated senior officer 3 if the covered entity does not have a board of directors). Conduct periodic risk assessments of the covered entity s information systems. Implement written policies and procedures designed to ensure the security of information systems and nonpublic 1 Information system is defined as a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/ process controls systems, telephone switching and private branch exchange systems, and environmental control systems. 2 Third-party service provider is defined as any person or entity that (i) is not an affiliate of the covered entity, (ii) provides services to the covered entity, and (iii) maintains, processes or otherwise is permitted access to nonpublic information through its provision of services to the covered entity. 3 Senior officer is defined as the senior individual or individuals (acting collectively or as a committee) responsible for the management, operations, security, information systems, compliance and/or risk of a covered entity, including a branch or agency of a foreign banking organization subject to [the Final Rule]. information that are accessible to, or held by, third-party service providers. Establish a cyber-security incident response plan that meets detailed requirements. Notify DFS as promptly as possible but in any event within 72 hours from a determination that a cyber-security event 4 has occurred (i) for which notice is required to be provided to any government body, self-regulatory agency, or any other supervisory body or (ii) that has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity. Submit an annual certification to DFS (signed by the chairperson of the board of directors or a senior officer) that the covered entity is in compliance with the requirements of the Final Rule. The Final Rule will take effect on March 1, 2017 (emphasis added), but covered entities have 180 days to comply with its requirements, and longer transitional periods are provided for compliance with certain provisions (including certain technical requirements for the cyber-security program). Notably, annual reporting to the board of directors or a senior officer is not required until March 1, 2018, the first certification of compliance is not required to be filed with DFS until February 15, 2018, and policies and procedures governing thirdparty service providers are not required until March 1, As noted above, the Final Rule includes a number of exemptions that may be available to captives, RRGs, and captive managers that are licensed in New York (or that should be so 4 Cyber-security event is defined as any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an information system or information stored on such information system. 2

3 licensed). Covered entities that qualify for an exemption are required to notify DFS (using a Notice of Exemption form) within 30 days of the determination of exemption (which appears to mean within 30 days of the covered entity determining that it is exempt). In the event that a covered entity ceases to qualify for an exemption, the covered entity has 180 days from the fiscal year-end when it ceased to qualify for an exemption to comply with all applicable requirements of the Final Rule. The exemptions to the Final Rule that may be available to captives, RRGs, and captive managers are outlined below. Captive Insurance Companies A New York licensed captive insurance company that does not, and is not required to, directly or indirectly control, own, access, generate, receive, or possess nonpublic information, other than information relating to its corporate parent company (or affiliates), is exempt from some, but not all, requirements of the Final Rule. Nonpublic information is defined as all electronic information that is not publicly available information 5 and is also the following. Business-related information of a covered entity that the tampering with or unauthorized disclosure, access, or use of which would cause a material adverse impact to the business, operations, or security of the covered entity; 5 Publicly available information is defined as any information that a covered entity has a reasonable basis to believe is lawfully made available to the general public from: federal, state or local government records; widely distributed media; or disclosures to the general public that are required to be made by federal, state or local law. For the purposes of this [definition], a covered entity has a reasonable basis to believe that information is lawfully made available to the general public if the covered entity has taken steps to determine: (i) That the information is of the type that is available to the general public; and (ii) Whether an individual can direct that the information not be made available to the general public and, if so, that such individual has not done so. Any information concerning an individual that, because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements: (i) Social Security number, (ii) drivers license number or nondriver identification card number, (iii) account number, credit or debit card number, (iv) any security code, access code, or password that would permit access to an individual s financial account, or (v) biometric records; or Any information or data, except age or gender, in any form or medium created by or derived from a healthcare provider or an individual and that relates to (i) the past, present, or future physical, mental, or behavioral health or condition of any individual or a member of the individual s family, (ii) the provision of health care to any individual, or (iii) payment for the provision of health care to any individual. Captive insurance companies seeking to rely on this exemption will need to consider whether any electronic information they control or have access to (directly or indirectly) would constitute nonpublic information and, if so, whether it relates to a person or entity other than the captive s corporate parent company or an affiliate. Captives, by their nature, primarily insure the risks of their parent or affiliates, but they may nonetheless have access to sensitive information of other business entities or individuals (e.g., third-party claimants or employees of a parent or affiliate). Furthermore, even if a captive qualifies for this exemption, it would still need to comply with several of the Final Rules requirements, including conducting periodic risk assessments of the covered entity s information systems, implementing policies and procedures governing third-party service providers and the disposal of nonpublic information, and providing the required notices and annual certifications to 3

4 DFS. However, as noted below, it may be possible for a captive to rely on a cyber-security program of an affiliate (or one of the other exemptions to the Final Rule). Non-New York RRGs Doing Business in New York The Final Rule includes a broad exemption for all RRGs chartered under the laws of a state other than New York (provided the RRG does not hold any additional license(s) or authorization(s) in New York that would otherwise cause it to be a covered entity). This exemption is intended to ensure that the Final Rule is consistent with the broad prohibition under the federal Liability Risk Retention Act on application of a state s laws to RRGs chartered under the laws of another state. Small Company Exemption A covered entity is exempt from some, but not all, of the Final Rule s requirements if it has any of the following. Fewer than 10 employees, including any independent contractors, of the covered entity or its affiliates located in New York or responsible for business of the covered entity; Less than $5 million in gross annual revenue in each of the last 3 fiscal years from New York business operations of the covered entity and its affiliates; or Less than $10 million in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all affiliates. Because the employees (and independent contractors), gross revenues, and assets of all affiliates must be counted when determining whether an entity qualifies for the small company exemption, most New York captives likely would not qualify for this exemption. Furthermore, even if an entity qualifies for this exemption, it would still need to comply with a number of the Final Rule s requirements (emphasis added). This would include maintaining an adequate cyber-security program and cybersecurity policy, limiting access privileges to nonpublic information, conducting periodic risk assessments of the covered entity s information systems, implementing policies and procedures governing third-party service providers and the disposal of nonpublic information, and providing the required notices and annual certifications to DFS. However, as noted below, it may be possible for a captive to rely on a cyber-security program of an affiliate (or one of the other exemptions to the Final Rule). Adopting the Cyber-Security Program of Another Covered Entity The Final Rule includes a broad exemption for any covered entity that is an employee, agent, representative, or designee of another covered entity to the extent that the employee, agent, representative, or designee is covered by the cyber-security program of that other covered entity (which would, therefore, itself be required to comply with the requirements of the Final Rule). This exemption could be available to a captive manager (which acts as the agent or representative of the captive insurance companies that it represents), but, in most cases, the captives that a captive manager represents would not maintain cyber-security programs that cover the captive manager. Adopting the Cyber-Security Program of an Affiliate The Final Rule provides that a covered entity may satisfy its requirements by adopting the relevant and applicable provisions of a cybersecurity program maintained by an affiliate, provided that such provisions satisfy the requirements of the Final Rule applicable to the covered 4

5 entity. This exemption would not be available to captives and captive managers whose affiliates do not maintain cyber-security programs that meet the Final Rule s requirements. Covered Entities with No Information Systems or Nonpublic Information Finally, the Final Rule includes a limited exemption for any covered entity that does not directly or indirectly operate, maintain, utilize, or control any information systems and that does not, and is not required to, directly or indirectly control, own, access, generate, receive, or possess nonpublic information. The term information systems is defined very broadly and, as such, any captive or captive manager would be hard pressed to rely on this exemption in today s digital world. Furthermore, even if an entity qualifies for this exemption, it would still need to comply with several of the Final Rules requirements, including conducting periodic risk assessments of the covered entity s information systems, implementing policies and procedures governing third-party service providers and the disposal of nonpublic information, and providing the required notices and annual certifications to DFS. However, as noted above, it may be possible for a captive to rely on a cyber-security program of an affiliate (or one of the other exemptions to the Final Rule). Reproduced from the April 2017 issue of Captive Insurance Company Reports. Opinions expressed in this article are those of the author and are not necessarily held by the author s employer or IRMI. This content does not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with an attorney, accountant, or other qualified adviser. 5