(Dewitt, New York, Nov. 14, 2016) — The Independent Insurance Agents & Brokers of New York (IIABNY) has asked the New York State Department of Financial Services (NYSDFS)to make its proposed cybersecurity regulation “more workable” for insurance agencies. The group submitted formal comments to the department in a letter last week.
The proposed regulation, titled Cybersecurity Requirements for Financial Services Companies, requires insurance agencies and other financial services firms to implement numerous security measures. These include formal cybersecurity programs and policies; hiring cybersecurity staff and a chief information security officer; regular network security tests; systems to recreate network events; formal evaluations of third parties’ security practices; and other requirements.
IIABNY president and CEO Richard A. Poppa, CAE, AAI said, “During in-person discussions, the department has shown a willingness to consider our thoughts on cybersecurity requirements. We appreciate the opportunity to provide comments on these rules that will affect hundreds of large and small insurance agencies.”
IIABNY is concerned about the high cost of complying with the proposed requirements. Some may cost more than $100,000 to meet. Two-thirds of IIABNY member agencies have fewer than seven employees. They cannot afford these costs and could be forced to close.
IIABNY's comment letter recommended several changes, including:
- Exempting additional small agencies from the requirements
- Defining who is a “third party”
- Waiving third-party requirements when two firms subject to the regulation do business with each other (for example, an agency doing business with an insurer)
- Applying existing state requirements when an agency does business with a third party not subject to the regulation
- Exempting non-resident agencies, who are subject to rules in their home states
- Giving agencies more time to comply with some requirements
- Requiring protection of consumers’ private information only
- Requiring agencies to report to the department only successful cyberattacks
- Aligning the incident-reporting requirement with existing state law
- Eliminating the requirements for agencies to implement audit trail systems, encryption of data stored on servers, and multiple-step verification of network users’ identities
- Eliminating the requirement for agencies to destroy consumer information that might be used in the future to sell more insurance
- Considering agencies who meet certain minimum requirements to be in compliance
- Making the regulation temporary so that its continued necessity can be evaluated
It is expected that the department will respond to all public comments later this year.
The text of IIABNY's comments are available for download at http://www.iiabny.org/Resources/MAC/SiteAssets/MAC/Cyber/cybersecurity/IIABNY%20Cyber%20Comments%20FINAL.pdf.
The Independent Insurance Agents & Brokers of New York, Inc. has represented the common business interests of independent insurance professionals since 1882. More than 1,750 agencies and their 13,000 plus employees currently rely on the DeWitt, New York-based not-for-profit trade association for legislative advocacy, continuing education and other means of industry support. In addition, most IIABNY members proudly identify themselves as Trusted Choice® agents and brokers, a national consumer brand uniting more than 21,000 independent agencies across the United States. For more information, go to www.trustedchoice.com or www.iiabny.org.