(Dewitt, NY, December 28, 2016) — IIABNY scored a win for its members this week after the DFS accepted the associations' suggestions to change its proposed cybersecurity regulations to exempt smaller agents from its more burdensome requirements.
On December 28, 2016, the DFS published a revised rulemaking of its original cybersecurity rule proposal that it released in September. "IIABNY is very pleased that the DFS has accepted many of the changes IIABNY suggested during in-person meetings and in its formal comments to the department," said Jack Smith, IIABNY Chairman of the Board.
The most important change broadens the limited exemption to include those agencies with fewer than 10 employees, those with less than $5 million in gross annual revenue, or those with less than $10 million in year-end total assets.
The original proposal would have required most agencies, even small ones with one or two employees, to comply. IIABNY met with DFS representatives in October to explain that the majority of the association's members had fewer than 8 employees and these small insurance agencies simply could not comply with the requirements proposed by the new regulation.
Specifically, IIABNY suggested that the limited exemption be based on number of employees, and not the number of customers as the DFS had proposed. IIABNY also suggested that the limited exemption be changed so that agents would only have to meet one of the three listed criteria (employees, revenue or assets) instead of all three. The DFS accepted all IIABNY's recommended changes for this section.
Although the limited exemption will excuse many insurance agencies from having to comply with the more costly and burdensome requirements of the proposal, these agencies will still have to comply with certain parts of the regulation, including establishing and implementing a cybersecurity program and policy and reporting cybersecurity events to the Superintendent.
IIABNY also made several other suggestions that the department included in its revised proposal, including requirements for dealing with third parties services providers, data disposal, notification of cybersecurity events, and transitional effective dates for certain provisions of the rule.
The revised rule is subject to a 30-day comment period during which further comments will be considered. The DFS has pushed back the effective date to March 1, 2017, with compliance required in 180 days from the effective date. However, the DFS has added transitional deadlines for various requirements within the proposal, such as multi-factor authentication and encryption of data.
"IIABNY thanks the DFS for its willingness to listen to our concerns and to make appropriate changes for the benefit of New York small businesses," added Smith.
The Independent Insurance Agents & Brokers of New York, Inc. has represented the common business interests of independent insurance professionals since 1882. More than 1,750 agencies and their 13,000 plus employees currently rely on the DeWitt, New York-based not-for-profit trade association for legislative advocacy, continuing education and other means of industry support. In addition, most IIABNY members proudly identify themselves as Trusted Choice® agents and brokers, a national consumer brand uniting more than 21,000 independent agencies across the United States.
For more information, go to www.trustedchoice.com or www.iiabny.org.