New York State’s powerful financial regulator, the Department of Financial Services (DFS), has recently grabbed the cybersecurity spotlight by issuing a first-in-the-nation cybersecurity regulation, which went into effect on 1 March 2017.
The regulation is a game changer for directors with responsibility over any financial institutions (including banks, trusts and insurance companies, referred to here as covered entities) that are required to operate under a licence, registration, or similar authorisation under New York’s Banking Law, Insurance Law or Financial Services Law. Although the regulation does not directly apply to national banks and federal branches of foreign banks, it does apply for example to New York-licensed lenders and branches of foreign banks. Because it applies regardless of where the institution is domiciled, the regulation’s impact is being felt around the world. It is groundbreaking in several respects.
First, it is a mandatory regulation, as opposed to ‘guidance’, that requires covered entities to establish a cybersecurity programme designed to protect the confidentiality, integrity and availability of the institution’s information systems and nonpublic information. Although the DFS does not spell out specific fines or penalties associated with violations, the regulation provides that it will be enforced pursuant to DFS authority ‘under any applicable laws’.
For insurance company Chief Risk Officers, evolving and increasing cyber risks will be hard to ignore in 2017. In addition to fending off cyber-attacks like every enterprise must, insurance companies also will face new legal and regulatory cyber challenges by way of a groundbreaking regulation from New York’s Department of Financial Services and possibly a Model Law from the National Association of Insurance Commissioners. Meanwhile, insurers are writing more cyber coverage, triggering concerns about cyber events simultaneously affecting multiple insureds across the insurer’s portfolio, leading to massive aggregated losses. While addressing these “noisy” cyber risks will not be an easy task from a risk management perspective, a more subtle and potentially more dangerous cyber risk – a “silent” cyber risk — likely will prove to be even more challenging for today’s CROs. [Read more…]
This is an unprecedented time for insurers. As margins associated with conventional lines of coverage continue to tighten, pressure is increasing to offer new forms of coverage to respond to the emerging cyber risks facing insureds in today’s digital economy. At the same time, insurers are compelled to make certain that those risks are effectively excluded from coverage under many other “traditional” policy forms.
New York State’s Department of Financial Services (DFS) has just released its revised first-in-nation proposed cybersecurity regulation. In formulating the revised proposal, DFS took into account the more than 150 comments it received with regard to its original proposal, which was released in September 2016. Although the new proposal maintains many of the requirements of the initial proposal, such as the requirements for a Cybersecurity Program, a written Cybersecurity Policy, and the designation of an individual responsible for the program’s implementation and oversight, the new proposal differs in a number of very significant ways, highlighted below:
Ownership of a company’s cybersecurity is akin to an issue like climate change or eco-preservation: It’s a concern that touches everyone. For cybersecurity, however, universal ownership may not be the best approach to ensure accountability.