Competing Cyber-Security Laws: NAIC v. New York

Many captives are probably aware of the work being done at the National Association of Insurance Commissioners (NAIC) concerning cyber-security risks. This process began in late 2014 when the NAIC’s Executive (EX) Committee appointed a "Cybersecurity (EX) Task Force" to serve as the point group on all regulatory matters related to cyber-security. In April 2015, the Cybersecurity Task Force adopted the "Principles for Effective Cybersecurity: Insurance Regulatory Guidance."

The 12 principles adopted direct insurers, producers, and other regulated entities to join forces in identifying risks and adopting practical solutions to protect information entrusted to them. Additionally, the NAIC is developing new reporting requirements for insurers to better track cyber-insurance policies issued in the marketplace. In March 2016, the NAIC exposed its first draft of an “Insurance Data Security Model Law.”

However, in September of this year, the New York State Department of Financial Services (DFS) issued its own proposed broad set of cyber-security regulations for banks, insurers, and other financial institutions doing business in New York. The regulations, as proposed, could be particularly problematic for smaller banks and insurers, including captives.

The DFS’s proposal introduces several requirements that are not currently embedded within the NAIC Model Law, including the following.

• Data Encryption. The New York requirements call for sensitive data to be encrypted both in-transit and at rest. The call for stored data to be encrypted is a potential problem since this is not common industry practice and would require encryption of all data storage locations, including laptops, tablets, and cell phones.
• Enhanced Multi-Factor Authentication. The New York proposal requires all users accessing internal systems from any external network or accessing database servers to use multi-factor authentication.
• Annual Certification. The New York regulations would require either the Chair of the Board or a senior officer to certify annually that their cyber-security program meets all of the proposal’s requirements. Those submitting the certification could be held personally liable if the organization’s cyber-security program is found to be deficient.
• Incident Reporting. All entities would be required to notify DFS within 72 hours of the discovery of cyber-incidents.
• Third Party Risk Management. The regulations also require entities subject to the law to conduct due diligence on third parties and perform annual assessments of third parties’ cyber-security practices if they have any access to data held by the entity.
• Creation of a Chief Information Security Officer (CISO). Entities subject to the regulation must appoint an individual to act as a CISO and report semi-annually to the Board of Directors.

It is too early to tell whether this DFS regulation will move forward in current form; however, captives need to be vigilant because the proposed starting date for compliance with the proposal is June 2017. Captives with any exposure to New York would be wise to monitor this situation closely.