While the DFS was understanding of our concerns, they do not intend to change their position on the TPSP issue.
Under Section 500.11, effective March 1st 2019, all covered entities (agencies and brokerages) will be required to:
Create and implement a written third party service provider policy designed to ensure the security of nonpublic information that is accessed by TPSPs (including, but not limited to, technology/software vendors and insurance carriers). The policy must consider, to the extent applicable, the risk posed by the third party, minimum cybersecurity standards to be met by TPSPs, due diligence processes to evaluate the adequacy of TPSPs, and periodic risk assessment of TPSPs.
Include in that written third party service provider policy guidelines and/or contractual protections relating to TPSPs, including, to the extent applicable: the TPSP’s policies and procedures for access controls; use of encryption; notice to the covered entity of a cyber event; and representations and warranties addressing the TPSP’s policies and procedures that relate to the security of the covered entity’s own information systems.
Per the DFS, due diligence of TPSPs is a two way street in the case of agents/brokers and carriers. Carriers must conduct a risk assessment and due diligence on all of their agents, while at the same time agents must also conduct a risk assessment and due diligence of all carriers whose policies they write.
Big I New York Has Your Back:
Big I NY strongly advocated for the agent/carrier relationship not to be treated as a third party service provider relationship, as both entities already must certify compliance with the cyber regulation to the DFS annually. The DFS’s recent decision is disappointing, and we are concerned it will cause confusion and result in significant costs to independent agents and brokers.
We are currently developing resources to assist agents in complying with the third party service provider requirements. Our goal is to provide a template third party service provider policy, suggested guidelines, and a questionnaire or other resource to help with the identification of third party service providers and assesment of their security policies and practices.