New NYDFS cybersecurity regulations: What will change for insurance?

New NYDFS cybersecurity regulations: What will change for insurance? | Insurance Business

New NYDFS cybersecurity regulations: What will change for insurance?

Set against a backdrop of a turbulent political landscape, and the lightning-fast development of technology, cybersecurity has been a growing concern for businesses – not least insurers – in recent years.

Now, New York – a key state for the insurance industry – is becoming the first in the US to implement tough cybersecurity regulations, which come into effect this week on March 01.

The state regulator’s new rules bring in “very specific and granular requirements,” Michelle A. Kisloff, a partner at law firm Hogan Lovells in Washington D.C., where she leads the privacy litigation team, told Insurance Business.

The New York Department of Financial Services rules will force companies, including insurers, to vouch for their resilience to cyber-attacks.

Requirements include the need to designate a chief information security officer with board-level responsibilities, the implementation of both reporting and incident response procedures, and specific requirements on the encryption of data.

At a national level, there has been a focus among state regulators on cybersecurity since at least 2014, Therese M. Goldsmith, a partner at Hogan Lovells in Baltimore and a former insurance commissioner for the state of Maryland, explained.

Want the latest insurance industry news first? Sign up for our completely free newsletter service now.

“State regulators have been meeting with their federal counterparts, and, independently, have been very focused on establishing cybersecurity standards in light of a number of high-profile data breaches,” Goldsmith said.

Overall, there are potentially a number of wider regulatory changes on the horizon affecting the insurance industry, according to Goldsmith.

“Certainly, I would say there’s quite a focus at the moment in the US on examining a number of regulatory issues that impact insurance at the federal level,” she said.

The new Trump administration looks to be bringing in several bills that may scale back parts of The Dodd-Frank Act implemented by the Obama administration in 2010, Goldsmith said.

There is also a push towards “taking a look at the designation of certain insurers as systemically important financial institutions,” she added.

However, despite a “fair amount of activity at the federal level in the US,” the system of state-level regulators as the primary mode of insurance regulation remains unlikely to be changed – at least not fundamentally – according to Goldsmith.

As for the incoming NYDFS rules, it remains to be seen exactly how the insurance industry itself will be affected.

Earlier this month, analyst firm Fitch Ratings said that the new regulatory climate could reinforce the growth trend seen in the cyber insurance space.

It also warned, however, that the new rules “could raise compliance risks for financial institutions and, in turn, premiums and loss potential for D&O insurance underwriters.”

Related stories:
New NYDFS cyber security rules a double edged sword for insurers, says Fitch -
Trump trade threats, Brexit may spawn risk-transfer deals, Lloyd’s CEO says -