What You Need to Know to Make Sure Your Insurance Business Complies

Similar documents
NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES PROPOSED 23 NYCRR 500 CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES

What we will cover today

CAPTIVE INSURANCE COMPANY REPORTS

NEW CYBER RULES FOR NEW YORK-BASED BANKING, INSURANCE AND FINANCIAL SERVICE FIRMS HAVE FAR-REACHING EFFECTS

NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES PROPOSED 23 NYCRR 500 CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES

H 7789 S T A T E O F R H O D E I S L A N D

FREQUENTLY ASKED QUESTIONS REGARDING 23 NYCRR PART 500

South Carolina General Assembly 122nd Session,

HIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier. March 22, 2018

Critical Issues in Cybersecurity:

DELHAIZE AMERICA PHARMACIES AND WELFARE BENEFIT PLAN HIPAA SECURITY POLICY (9/1/2016 VERSION)

Re: Proposed Cybersecurity Requirements for Financial Services Companies DFS P

Designing Privacy Policies and Identifying Privacy Risks for Financial Institutions. June 2016

SECURITY POLICY 1. Security of Services. 2. Subscriber Security Administration. User Clearance User Authorization User Access Limitations

Information Security and Third-Party Service Provider Agreements

REF STANDARD PROVISIONS

By David F. Katz, Richard D. Smith, Elizabeth K. Hinson, Jason Mark Anderman and Sarah Statz

New York s Proposed Bitlicense Rules

Summary Comparison of Current Senate Data Security and Breach Notification Bills

The Allied Group Privacy Shield Policy

COLUMBIA UNIVERSITY DATA CLASSIFICATION POLICY

CBSA PRIVACY POLICY. Canadian Business Strategy Association Page 1

Code of Conduct. This Code of Conduct covers all associates. When appropriate, it also covers all members of the Company's Board of Directors.

SUMMARY: The Federal Trade Commission ( FTC or Commission ) requests public

Data Security Addendum for inclusion in the Contract between George Mason University (the University ) and the Selected Firm/Vendor

ARE YOU HIP WITH HIPAA?

CHIPS Rules and Administrative Procedures Effective January 1, 2018

Anti-Money Laundering and Terrorist Financing Prevention Compliance Program Creation Guide

FINRA E-Learning Courses

BUSINESS ASSOCIATE AGREEMENT Between THE NORTH CENTRAL TEXAS COUNCIL OF GOVERNMENTS and

DATA PROTECTION ADDENDUM

EU GDPR DATA PROCESSING ADDENDUM INSTRUCTIONS FOR CLOUDFLARE CUSTOMERS

Client Privacy Policy

University Data Policies

ALERT. November 20, 2009

NATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE

ANTI-MONEY LAUNDERING COMPLIANCE REQUIRED. LIMRA is preferred, but they will also accept RegEd, Web Ce, Kaplan, and Sandi Kruse.

YMCA SOUTH AUSTRALIA Privacy Policy

NAPBS BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM ACCREDITATION STANDARD AND AUDIT CRITERIA Version 2.0. Potential Verification for Onsite Audit

Title Insurance and Settlement Company Best Practices

UNIVERSITY STANDARD. Title UNIVERSITY OF NORTH CAROLINA AT CHAPEL HILL STANDARD ON HIPAA SANCTIONS. Introduction

Northway Bank. Mobile Deposit Addendum. Addendum to the Online Banking Agreement

Cybersecurity Privacy and Network Security and Risk Mitigation

HIPAA Compliance Guide

ADDENDUM #1 RFP# DBE/ACDBE Consultant January 19, 2015

HEAD START COMMUNITY PROGRAM OF MORRIS COUNTY, INC. Record Retention and Destruction Policy

UNITED OF OMAHA Contracting Checklist

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS

16 th Karnataka IS Audit Conference. PII Risk Management. Srinivasan S K CISA, CISM, President, SKS Consulting

March 1. HIPAA Privacy Policy

DATA PROCESSING AGREEMENT (GDPR, Privacy Shield, and Standard Contractual Clauses)

Gramm-Leach-Bliley Act 15 USC, Subchapter I, Sec Disclosure of Nonpublic Personal Information

Data Processing Agreement

Regenstrief Center for Healthcare Engineering HIPAA Compliance Policy

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT BUSINESS ASSOCIATE TERMS AND CONDITIONS

Getting a Grip on HIPAA

Port Jefferson Union Free School District. Annual Risk Assessment Update Pertaining to the Internal Controls Of District Operations.

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

DATA PROCESSING ADDENDUM

GUIDELINES ON AGENT BANKING FOR BANKS AND FINANCIAL INSTITUTIONS,

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

Ball State University

APPLICATION FOR DATA BREACH AND PRIVACY LIABILITY, DATA BREACH LOSS TO INSURED AND ELECTRONIC MEDIA LIABILITY INSURANCE

PRIVACY: BRIDGING THE GAP BETWEEN THIRD PARTY/VENDOR RISK MANAGEMENT AND CYBER RESILIENCY. Annmarie Giblin, Esq. Thursday, April 21, 2016

FOR COMMENT PERIOD NOT YET APPROVED AS NEW STANDARD

MANITOBA OMBUDSMAN PRACTICE NOTE

4/23/2014. What is a Catastrophic Accident? RESPONDING TO A CATASTROPHIC WORKPLACE ACCIDENT. Why Catastrophic Accidents Must be Handled Differently

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

ACORD 834 (2014/12) - Cyber and Privacy Coverage Section

BUSINESS ASSOCIATE AGREEMENT (for use when there is no written agreement with the business associate)

Cybersecurity Insurance: The Catalyst We've Been Waiting For

Data Protection Agreement

PsyBar, LLC 6600 France Avenue South, Suite 640 Edina, MN Telephone: (952) Facsimile: (952)

ROSETTA STONE LTD. PROCESSING ADDENDUM

Multi Agency Assessment Panels Data Protection Protocol

University of Sunderland Business Assurance Information Classification Policy

Cyber Insurance 2017:

ARTICLE 1. Terms { ;1}

Georgia Health Information Network, Inc. Georgia ConnectedCare Policies

UCLA Policy 420: Breaches of Computerized Personal Information

1. Welcome to RAYNET Cloud CRM! 2. Eligibility/ Registration. 3. Services available. Free edition. Profi edition

EU Data Processing Addendum

MAPLESOFT HOSTING SERVICES AGREEMENT: MAPLE T.A.

MEMBER QUALITY STANDARDS

BUFFALO WILD WINGS, INC. GAMING COMPLIANCE PLAN ARTICLE I INTRODUCTION

Data Processing Addendum

BUSINESS ASSOCIATE AGREEMENT

Federal Reserve Banks Operating Circular 1 ACCOUNT RELATIONSHIPS

DATA SERVICES CONTRACTS

Payment Card Industry (PCI) Data Security Standard Validation Requirements. For Approved Scanning Vendors (ASV)

MJ GLEESON PLC Company No:

Code of Ethics for Directors

Cyber ERM Proposal Form

Enforcement Acons Mortgage Banking

Determining Whether You Are a Business Associate

NATIONAL PAYMENT AND SETTLEMENT SYSTEMS DIVISION

DATA PRIVACY I. POLICY DEFINITIONS

Security and Privacy Policies

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

Transcription:

New York State Department of Financial Services New Cybersecurity Regulation 23 NYCRR Part 500 What You Need to Know to Make Sure Your Insurance Business Complies Presented by: NAIFA-NYS, Peter J. Molinaro, Esq. General Counsel 1

FIRST IN THE NATION GOVERNOR ANDREW CUOMO SEPTEMBER 13, 2016 New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state sponsored organizations, global terrorist networks, and other criminal enterprises GOV. CUOMO S PRESS RELEASE 9/13/16 2

WHO MUST COMPLY? ARE YOU A COVERED ENTITY? All Licensed Entities/Persons Must Comply in Some Way With The Provisions of This Regulation A Covered Entity means any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law. [23 NYCRR 500.1(c)] Limited Exemptions are available for some Covered Entities. 3

WHAT DATA MUST BE PROTECTED? The Regulation Is Designed to Protect Nonpublic Information Stored on a Covered Entity s Information System Nonpublic information is defined as: All electronic information that is not Publicly Available Information and is: 4

WHAT DATA MUST BE PROTECTED? 1. Business related information of a Covered Entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the Covered Entity; 5

WHAT DATA MUST BE PROTECTED? 2. Any information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements: (i) social security number, (ii) drivers license number or non-driver identification card number, (iii) account number, credit or debit card number, (iv) any security code, access code or password that would permit access to an individual s financial account, or (v) biometric records; 6

WHAT DATA MUST BE PROTECTED? 3. Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or an individual and that relates to (i) the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual s family, (ii) the provision of health care to any individual, or (iii) payment for the provision of health care for any individual. [500.01(g)] 7

OVERVIEW OF THE REGULATION A. Each Covered Entity is required to establish and maintain a written cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity s Information Systems and the Nonpublic Information therein. (500.02) 8

OVERVIEW OF THE REGULATION B. Each Covered Entity must adopt and maintain a written cybersecurity policy which contains processes and procedures for data governance and classification, access controls and identity management, business continuity and disaster recovery, systems operation and availability concerns, security, monitoring, quality assurance, privacy, third-party service provider management, risk assessment and incident response. (500.03) 9

OVERVIEW OF THE REGULATION(continued) C. Appoint a Chief Information Security Officer (CISO) to oversee implementation and enforcement. (500.04) D. Supervision and evaluation of cybersecurity program of Third Party Service Providers who have access to Covered Entity s Information Systems and Nonpublic Information. (500.11) 10

OVERVIEW OF THE REGULATION(continued) E. Your Program needs to include a Risk Assessment, use of qualified cybersecurity personnel, timely destruction of unneeded information and an incident response plan. (500.09, 500.10, 500.13, 500.16) F. Based on the Risk Assessment of your organization, your program may have to include different levels of annual penetration testing with vulnerability assessments, audit trail systems, access logs, review of access privileges, Multi-Factor Authentication for access, employee training and encryption of Nonpublic Information. (500.05, 500.06, 500.07, 500.12, 500.14, 500.15) 11

THIRD PARTY SERVICE PROVIDER REQUIREMENTS DEFINITION: THIRD PARTY SERVICE PROVIDER MEANS A PERSON THAT (i) is not an Affiliate of the Covered Entity, (ii) provides services to the Covered Entity, and (iii) maintains, processes or otherwise is permitted access to Nonpublic Information through its provision of services to the Covered Entity. [500.01(n)] 12

THIRD PARTY SERVICE PROVIDER REQUIREMENTS (continued) Based on your Risk Assessment, your program must contain policies and procedures designed to secure your system and Nonpublic Information that is accessible to or in the possession of a Third Party Service Provider. [500.11(a)] 13

THIRD PARTY SERVICE PROVIDER REQUIREMENTS(continued) Essentials of Third Party Service Provider Policy: [500.11(a)] Identification and risk assessment of the provider Minimum cybersecurity practices required to be met by the provider before they conduct their business with the Covered Entity Due diligence process used to evaluate the adequacy of the provider s cybersecurity practices Periodic assessment of the provider based on the risk it presents and the continued adequacy of its cybersecurity program Your program must contain guidelines for the provider s use of Multi-Factor Authentication, encryption, notice of a Cybersecurity Event to the Covered Entity, representations and warranties to the extent applicable from the provider to the Covered Entity. [500.11(b)] 14

SOME GOOD NEWS LIMITED EXEMPTIONS AVAILABLE TO CERTAIN COVERED ENTITIES A Covered Entity Qualifies for a Limited Exemption From Many of the Regulation s Provisions if That Entity Has One of the Following: 1. Fewer than 10 employees, including independent contractors of the Covered Entity or its affiliates located in New York or responsible for business of the Covered Entity. 2. Less Than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations, including Affiliates 3. Less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of Affiliates. (500.19) 15

SOME BAD NEWS Even if you qualify for the limited exemption, you still have to have: 1. The written cybersecurity program and policy 2. Limited user access privileges 3. Periodic risk assessments 4. Third Party Service Provider supervision and monitoring 5. Secure disposal of no longer needed data 16

OTHER IMPORTANT EXEMPTIONS A. Employees, agents, representatives, designees B. Affiliates C. Covered Entities that don t operate their own system and are not required to keep nonpublic information 17

OTHER IMPORTANT EXEMPTIONS (continued) A. An employee, agent, representative or designee of a Covered Entity, who itself is a Covered Entity, is exempt from this Part and need not develop its own cybersecurity program to the extent that the employee, agent, representative or designee is covered by the cybersecurity program of the Covered Entity. [500.19(b)] SUCH EMPLOYEE, AGENT, REPRESENTATIVE OR DESIGNEE OF A COVERED ENTITY IS ALSO EXEMPT FROM DEVELOPING ITS OWN THIRD PARTY INFORMATION SECURITY POLICY IF IT FOLLOWS THE POLICY OF THE COVERED ENTITY WITH WHICH IT WORKS. [500.11(c)] 18

OTHER IMPORTANT EXEMPTIONS (continued) B. A Covered Entity may meet the requirements of this Part by adopting the relevant and applicable provisions of a cybersecurity program maintained by an affiliate, provided that such provisions satisfy the requirements of this Part, as applicable to the Covered Entity. [500.02(c)] 19

OTHER IMPORTANT EXEMPTIONS (continued) C. A Covered Entity that does not directly or indirectly operate, maintain, utilize or control any Information Systems, and that does not, and is not required to, directly or indirectly Control, own, access, generate, receive or possess Nonpublic Information shall be exempt from all but the Risk Assessment, Third Party Service Provider supervision and monitoring, and data retention provisions of the Regulation. [500.19(c)] 20

OTHER IMPORTANT EXEMPTIONS (continued) Qualification For The Limited Exemption If a Covered Entity qualifies for the exemption, it must file a Notice of Exemption in a form provided in Appendix B of the Regulation within 30 days of so determining. If the entity ceases to qualify for the limited exemption, it shall have 180 days from the end of the fiscal year to comply with all applicable requirements of Part 500. 21

REPORTING REQUIREMENTS Annual Report To The Superintendent Each Covered Entity shall report annually covering the prior calendar year, by February 15 th in a form provided in Appendix A of the Regulation, certifying that the Covered Entity is in compliance with the Regulation. [500.17(b)] 22

REPORTING REQUIREMENTS Notice Of Cybersecurity Event Must notify the Superintendent as promptly as possible but no later than 72 Hours from determining that a Cybersecurity Event (as such an event is defined in the Regulation) has occurred. [500.17(a)] 23

IMPLEMENTATION TIME FRAMES REGULATION EFFECTIVE MARCH 1, 2017 The Following Requirements Must Be Implemented Within the Following Time Frames: 180 Days From The Effective Date or August 28, 2017 1. Cybersecurity Program and Policy Developed 2. Designate Chief Information Security Officer (CISO) 3. Determine System Access Privileges And Personnel Training 4. Establish Incident Response 24

IMPLEMENTATION TIME FRAMES REGULATION EFFECTIVE MARCH 1, 2017 One Year From The Effective Date or March 1, 2018 1. Complete Risk Assessment and CISO Reports to Governing Body on System Risks 2. Penetration Testing And Vulnerability Assessment 3. Multi-Factor Authentication Program and Awareness Training for All Employees 25

IMPLEMENTATION TIME FRAMES REGULATION EFFECTIVE MARCH 1, 2017 Eighteen Months From Effective Date or September 1, 2018 1. Audit Trail System Completed and Application Security Written Procedures 2. Policy And Procedures for Disposal of Unneeded Nonpublic Information 3. Encryption of Nonpublic Information 26

IMPLEMENTATION TIME FRAMES REGULATION EFFECTIVE MARCH 1, 2017 Two Years From Effective Date or March 1, 2019 1. Implement Written Policies and Procedures or Third Party Service Providers 27

ISSUES YOU MAY BE FACING Agent, employee, representative or designee of insurer can be exempt by simply being covered by the insurer s program. But can this exemption work for independent agents and brokers? Even though agents, employees, representatives and designees of insurers are exempt from needing their own program, using the insurer s program will nonetheless impose difficult cybersecurity requirements. 28

ISSUES YOU MAY BE FACING What types of breaches or attempted breaches arise to the materiality standard that requires reporting to the Superintendent within 72 hours? How can we adequately comply with the Third-Party Service vendor requirements? Do these requirements limit who we can use to provide needed services? Do we need to include the reg s requirements in our contract with the vendors? Are assets under management considered assets for determining qualification for the limited exemption? 29

NAIFA-NYS ACTION Filed with NYSDFS comments and critiques to the original draft of this Regulation which was unworkable and did not take into account the needs of our clients. As a result of our advocacy on your behalf along with over 150 other associations and companies NYSDFS significantly amended the Regulation. 30

NAIFA-NYS ACTION Filed additional comments to the current draft of the regulation, but the NYSDFS did not significantly amend the Regulation again before its adoption. Will continue to discuss the regulation with NYSDFS and express the concerns and issues of our clients during the implementation phase. Will assist clients with questions about the Regulation and implementation issues. 31

Questions?? 32

THANK YOU!!!!!! NAIFA-NYS 17 ELK STREET ALBANY, NY 12207 518-915-1661 info@naifanys.org 33

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback