Insurance companies operating in the state of New York will become subject to new cyber security regulations that take effect on March 1, 2017. New York is the first state to require insurers to report data breaches and protect customer information by encryption, access controls, and other mechanisms. The rules are in response to a number of costly data breaches across the nation and seek to prevent future cyber-crimes.
Under the rules, insurers must perform risk assessments and create a cyber security program tailored to their specific needs. The cyber security program must identify risks, detect breaches and attempted breaches, act defensively against breaches, mitigate the negative effects of breaches, recover from breaches, and restore normal operations and services. Insurance companies will also be required to monitor and test the effectiveness of their cyber security program with annual penetration testing and bi-annual vulnerability assessments.
Insurance companies must appoint a senior officer to the position of Chief Information Security Officer. The CISO will draft and enforce cyber security policies for the company. These policies must be based on the company’s risk assessment and address information security, data governance, systems and network security and monitoring, physical security, consumer data privacy, and more. The CISO is required to provide an annual report on the insurance company’s cyber security program and any risks or breaches to the insurance company’s board of directors.
The CISO may be a qualified employee of the insurance company or be employed by an affiliate or third party. If the CISO is employed by an affiliate or third party, the insurance company must appoint a senior officer to oversee the affiliate or third party.
In the event of a breach, insurance companies are required to promptly report the incident. By February 15th of each year, insurance companies must write a report detailing any breaches that occurred over the past year. These records must be maintained for at least five years.
Insurers will have 18 months to comply with many of the regulations, however some provisions including risk assessments and reports to the company’s board go in to effect sooner. Compliance will be certified on an annual basis.
Limited exemptions apply to firms with 10 or fewer employees, less than $5 million in annual gross revenue, or $10 million in year-end total assets.
Click on the link to read the New York State Cybersecurity Requirements.
Cybersecurity and Panel Counsel Law Firms
New York insurers must also verify that third-party vendors which provide them goods or services have sufficient cyber protection mechanisms and due diligence processes. Insurers need to periodically assess the cyber security mechanisms of the third-parties they do business with.
Insurance defense law firms providing services in New York will want to familiarize themselves with the rules and determine what responsibilities apply to the law firm.
As we have written about in the past, cyber hackers are targeting law firms with increasing frequency. Click on the link to read our July 2016 post titled, “Cybersecurity Insurance and Law Firm Risk.”
Help with Legal Marketing for Insurance Defense Firms
If your insurance defense law firm is asking how you can get on more insurance panels, give us a call.
Legal Expert Connections, Inc. offers three key benefits to insurance defense law firms nationwide:
- We are the leading U.S. legal marketing agency specializing in the insurance defense market. We know the panel counsel process, and focus on helping you get new engagements.
- Save time and money. You get quality results without the need to invest in senior in-house marketing / business development staff with the associated overhead expense for office space, equipment, and benefits.
- Increase revenue with professional, on-going legal marketing campaigns. We do the research to identify insurance panel managers, so you can accelerate your business development process.