Agents are to be considered “third party service providers" of the insurance companies whose policies they sell. Furthermore, insurance companies may (emphasis added) be considered “third party service providers" for the agents who sell their policies. The cybersecurity regulation requires, as of March 1st, 2019, that all covered entities:
“…implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers."
This latest response raises as many questions as it answers, and raises concerns that the DFS may not fully appreciate the real world impact of this decision on agents and brokers.
Under this new interpretation, insurance companies will be required to create cybersecurity guidelines for every agent they do business with, as well as ensure that those guidelines are being followed. Per earlier guidance from the DFS, simply the fact that agents have certified their compliance with the cybersecurity regulation is not sufficient to satisfy this requirement. The department has, in effect, placed a higher burden on insurance companies for policing cybersecurity than the department itself.
The DFS states:
“...when the independent agent holds or has access to any Nonpublic Information or Information Systems maintained by an insurance company with which it works (for example, for quotations, issuing a policy or any other data or system access), the independent agent will be a Third Party Service Provider with respect to that insurance company; and the insurance company, as a Covered Entity, will be required under 23 NYCRR 500.11 to have written policies and procedures to ensure the security of its Information Systems and Nonpublic Information that are accessible to, or held by, the independent agent (including but not limited to risk based policies and procedures for minimum cybersecurity practices, due diligence processes, periodic assessment, access controls, and encryption).
Further, an independent agent will also be an Authorized User if it participates in the business operations, and is authorized to use any Information Systems and data, of an insurance company that is a Covered Entity. In such a case, the insurance company must implement risk-based policies, procedures and controls to monitor the activities of the independent agent, as more fully described in 23 NYCRR 500.14."
Even more troubling is that the new interpretation indicates, that in some cases, the same requirements may apply to agents and brokers vis-à-vis the insurance companies whose policies they sell. From a practical standpoint, this would be extremely burdensome and challenging to comply with. It seems impractical and illogical that this responsibility should fall on agents and brokers.
“It is also noted that, like any other Covered Entity, an insurance company may also be a Third Party Service Provider and/or Authorized User with respect to another Covered Entity, including an independent insurance agent."
We are deeply concerned by the DFS's latest guidance, and will continue to work with the department to gain further clarification on what will be required of producers. We are exploring every possible recourse to reduce the negative impact to our members.
Scott Hobson, MPA
Director of Government Relations