New York became the first state in the U.S. to implement cyber security regulations, which began rolling out on a staggered basis, over a two-year period, as of March 1. The New York Department of Financial Services will require banks and insurance companies to vouch for their resilience to cyber attacks. The rules, in the works since 2014, followed a series of high-profile data breaches that resulted in losses of hundreds of millions of dollars to U.S. companies, including Target, Home Depot, and Anthem.
“These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place” to protect businesses and clients “from the serious economic harm caused by these devastating cyber crimes,” Governor Andrew Cuomo said in a statement.
The new rules, just to name a few, apply to banks, credit unions, insurance companies, licensed lenders and loan servicers, money transmitters, and even those operating under New York’s new virtual currency license. Requirements include the need to designate a chief information security officer with board-level responsibilities, the implementation of both reporting and incident response procedures and specific requirements for the encryption of data.
The new rules also call for banks and insurers to scrutinize security at third-party vendors that provide them with goods and services. In 2005, the New York Department of Financial Services found that one-third of 40 banks polled did not require outside vendors to notify them of breaches that could compromise data.
Firms are required to perform risk assessments in order to design a program tailored to them and have at least a year-and-a-half to comply with the requirements. Covered entities must annually certify compliance.
New York’s cyber security regulation could very well serve as a model for how other states can ensure banks and other regulated companies protect consumers and themselves from cyber breaches. The National Association of Insurance Commissioners is also developing a model cyber security law for insurers, agents, and brokers.
A responsive and strong cyber security plan in addition to having protocols for protecting data and reporting breaches when they occur also includes having in place a Privacy & Network Security/Cyber Liability insurance program to help cover the costs involved when a cyber attack occurs. A robust Cyber insurance plan includes first- and third-party insurance coverages designed to help protect clients from security breach expenses, public relations expenses, business income and extra expenses, extortion threats, replacement or restoration of electronic data, website publishing liability, security breach liability, programming errors and omissions liability. In addition, policies can be designed to provide pre-breach assessment and/or post-breach remediation and crisis management services.
About Axis Insurance Services
Axis Insurance Services partners with several leading insurance companies to provide a wide range of industries, including the financial and banking sector, with tailored Cyber Liability insurance programs. For more information about our insurance solutions, contact us at (877) 787-5258.