New York cyber regulations add urgency to risk managers’ response

CERT-LatestNews ThreatsStrategic

NEW YORK — The implementation of new cyber security regulations in New York state gives insurers and other covered entities added responsibilities related to the safeguarding of information and systems.

While response planning has always been an important part of risk management, the new regulations increase the urgency of that need, according to comments made during a cyber panel discussion meeting at the New York State Bar Association on Sept. 26 in New York.

The new regulation, 23 NYCCR 500, or “New York Reg 500” as it is colloquially known, went into effect on March 1, 2017. The law requires insurers, financial services companies and others companies that compile sensitive information to “maintain a cyber security program designed to protect the confidentiality, integrity and availability of the covered entity’s information systems” that is able to “respond to identified or detected cybersecurity events to mitigate any negative effects.”

Those companies regulated by New York’s cyber regulations, deemed “covered entities,” must take necessary steps and exercise due diligence to comply with their mandates before there is a breach or an examination by the New York State Department of Financial Services, according to Francine L. Semaya, a legal and insurance regulatory consultant in New York.

This includes having in place an appropriate response plan as dictated by the regulation, Ms. Semaya said. No covered entity wants to be the DFS “scapegoat” for failure to make due diligence attempts to update the cyber liability protections in accordance with NY Reg 500, Ms. Semaya said.

A company’s response plan should be detailed and in writing.

“The cyber security laws and regulations do require notifications so a company has to prepare in advance, develop a written plan and assign duties to people,” said Eric Nordman, director of regulatory services at the National Association of Insurance Commissioners in Kansas City, Missouri.

“You get your response plan in place, you get your people lined up,” said James Gkonos, special counsel with Saul Ewing Arnstein & Lehr L.L.P. in Philadelphia.

Mr. Nordman added that the relevant insurance commissioners should be contacted in the event of an incident so they are aware if approached by the media.

“At the end of the day, you don’t ever want to be sideways with the regulators,” Mr. Gkonos said.

Any company experiencing an incident will likely need to involve lawyers in the response.

“A response plan should have outside counsel engaged in advance, as well as a forensic investigation firm like FireEye (Inc.),” said Ronnie Brandes, assistant general counsel with Marsh & McLennan Cos. Inc. in New York.

“I do think you can and should get your lawyers involved right away” for several reasons, including the safeguarding of any privileged information, Mr. Gkonos said.

Fortunately, reporting requirements under the myriad statutes and regulations followed by insurers are similar enough so as not to create a substantial extra burden.

“The notification requirements under different regulations are similar or somewhat similar to one another,” Ms. Brandes said.

State laws governing cyber breach notification are not all that dissimilar, Mr. Nordman said.

“If we’ve managed the hodgepodge of laws thus far, I think we are going to have to continue to do so,” Ms. Brandes said.

And practicing the steps of a plan is an important part of preparation, observers say.

“If you have an event, the first thing to do is pull out your incident response plan and follow the steps one by one,” said Jonathan Olefson, general counsel for Atlanta-based Cotiviti Holdings Inc. “A cyber incident should be treated like a medical emergency — you are trying to stabilize the situation and gather as much information as possible.”

“You can’t predict, but you can practice,” Mr. Olefson said.