Insurance companies doing business in New York and regulated by the New York State Department of Financial Services may soon be subject to new cybersecurity rules.

Proposed cybersecurity regulations, published in the New York State register on September 28, are subject to a 45-day public comment period.

If approved, regulated insurance companies and financial institutions will be required to take the following steps under the proposal:

  • Establish a cybersecurity program
  • Adopt a written cybersecurity policy
  • Designate a Chief Information Security Officer (CISO)
  • Maintain the security of non-public data accessed by third parties

The Chief Information Security Officer will be responsible for implementing, overseeing and enforcing new cybersecurity programs and policies. The CISO for every New York insurance company will be required to address five key aspects of risk management, including:

  • Identification of cyber risks
  • Implementation of policies and procedures to protect unauthorized access/use or other malicious acts
  • Detection of cybersecurity events
  • Mitigation efforts in regard to negative cybersecurity events
  • Recovery from cybersecurity events and restoration of normal operations

Background on Cybersecurity Regulations in New York

Concern for the safety of personally identifiable data involving a consumer’s health records, assets, and property insurance coverage is behind the New York proposal.

cybersecurityIn February of 2015, New York State issued the results of a cybersecurity survey based on the responses of 43 insurance providers (21 health insurance providers, 12 P&C companies, and 10 life insurance firms).

The survey sought to collect data on current practices in regard to data protection, penetration testing, security budgets, governance issues, and actual data breaches. The size and sophistication of an insurance carrier was not a dependable guide to the entity’s cybersecurity protection, according to the survey.

Click on the link to read the Report on Cyber Security in the Insurance Sector, issued by the New York State Department of Financial Services in February, 2015.

Click on the link to read New York’s Proposed Cybersecurity Requirements for Financial Services Companies.

Bill Hager’s Insurance Policy Expertise as an Insurance Regulator

Mr. Hager served as an insurance regulator for eight years in five positions ((i) Assistant Attorney General assigned to the Iowa Department of Insurance, (ii) First Deputy Commissioner of Insurance, (iii) Iowa Commissioner of Insurance, (iv) Administrative Law Judge, and (v) Executive and Member of the National Association of Insurance Commissioners).

In this capacity Mr. Hager, along with his staff, approved (or disapproved) of the language of insurance policies used by each of the 1,000 property casualty insurance companies doing business in the state of Iowa.

This regulatory action also included the approval of most all policy application forms and policy forms themselves in use today. In addition, he regularly served as an Administrative Law Judge in matters relating directly to insurance policies.

While Iowa Commissioner of Insurance, Mr. Hager also served as a member of the National Association of Insurance Commissioners, (including membership on its Executive Committee).

While with the NAIC, he served, among other things, as:

  • Chair of the Midwest Zone. He was elected to this position by his fellow Insurance Commissioners from this zone (composed of the Midwest states) to provide leadership before the balance of the states.
  • Member of the Executive Committee. As a member of the Executive Committee, in effect the steering committee of the NAIC, he provided leadership organization wide. The Executive Committee had direct oversight of the Property Casualty Committee.
  • Member, Commercial Lines Committee. This Committee exercised national oversight of the functioning of commercial lines insurance.

Click on the link to read more about Mr. Hager’s experience as an insurance expert.


Material for this article was taken from a collection of industry sources relating to the subject.

In all of the general statements here, see the state law of the controlling jurisdiction. Every case is different and circumstances vary widely depending on the governing state law, policy provisions, and related considerations.

This blog is provided for educational purposes only. It is not intended to provide legal advice or an opinion in regard to any topic discussed. The blog should not be used as a substitute for legal advice from a licensed attorney in your state.