Publications

(Article from Insurance Law Alert, April 2019)

For more information, please visit the Insurance Law Alert Resource Center.

As discussed in our May 2018 Alert, the Department of Financial Services (“DFS”) enacted cybersecurity regulations applicable to entities subject to New York banking, insurance and financial services laws (“Covered Entities”).  The regulations impose certain minimum requirements on Covered Entities for cybersecurity practices, including the maintenance of a cybersecurity program and response plan, the designation of a senior officer to oversee cybersecurity, routine risk assessment, notification of a security incident to the DFS and annual compliance certification.  See N.Y. Comp. R. & Regs. tit. 23 § 500 (2017).

Since the March 2017 enactment of the regulations, a series of transition periods have provided Covered Entities with time to implement policies that comply with the regulations.  This grace period ended on March 1, 2019, with all Covered Entities now obligated to have written cybersecurity policies and procedures in place.  In coming months, the DFS’s approach to enforcement of its regulations will reveal the extent of permissible flexibility in a Covered Entity’s cybersecurity program.  One notable area of interest to many Covered Entities is the manner and extent to which the DFS will enforce cybersecurity requirements relating to information held by third-party vendors, particularly given the broad scope of “vendor” under the new regulations.  Under the regulations, Covered Entities are obligated to regularly audit vendors to ensure compliance with cybersecurity measures.  Additionally, as official enforcement of the regulations gets underway, the DFS may have the opportunity to clarify the scope of events that constitute a reportable incident subject to the 72-hour window for reporting data breaches.  We will keep you informed of developments relating to the enforcement of these regulations.