Reminder: Respond To Carrier Requests With Our TPSP Questionnaire
Member agencies have probably received at least one request from an insurance carrier (or even from IAAC) to complete a third-party service provider (TPSP) questionnaire. The New York financial services cybersecurity regulation requires them to do this.
The requirement applies to all “covered entities,” as the regulation defines that term. Insurance carriers are covered entities, and so are insurance agencies and brokerages. Section 500.11 requires them to include in their cybersecurity policies and procedures those “designed to ensure the security of information systems and nonpublic information that are accessible to, or held by,” TPSPs.
The Requirement
Entities must base their policies and procedures on assessments of their own cybersecurity risks. The policies and procedures must address to the extent applicable:
- Identifying the entity’s TPSPs
- Assessing how much risk they present
- The minimum cybersecurity practices the entity will expect TPSPs to meet
- Due diligence processes to evaluate each TPSP’s cybersecurity practices, and
- Periodic reassessment of the TPSPs based on their history of breaches and the level of risk they present to the entity.
It’s that “due diligence processes” part that is causing carriers and others to send you these questionnaires.
Our Form
As a reminder, we have a simple two-page questionnaire for members to use when they perform their own due diligence.
You can access it here or find it on our Cybersecurity page, along with a library of other cyber compliance resources.
You can also use this form in response to requests from carriers and others. We encourage you to
- Complete it
- Save a copy of it, and
- Send copies to anyone who requests information about your agency’s cybersecurity practices.
That way you already have the work done when you receive a request. For accuracy, update the form as necessary whenever you change your cybersecurity program.
Consequences For Not Responding
We have heard of some agencies refusing to provide this information to carriers and others. To be clear, the regulation does not require the recipient of the request to provide answers. However:
- An agency’s contract with a carrier might require the agency to respond; refusing to answer may leave the agency in breach of contract.
- The entity requesting the information is within its legal rights to stop doing business with the agency if the information is not provided.
The Point
As of last August, 28 states and Puerto Rico had adopted insurance data security laws in addition to the New York regulation. Those laws are based on the National Association of Insurance Commissioners (NAIC) model. All contain a TPSP due diligence requirement. This is a standard part of cybersecurity risk management.
Carriers and others perform due diligence on your agency because they should and because the regulation requires it. Your agency should be doing likewise for the same reasons. Make it easier on yourself. Use the Big I New York questionnaire for both your requests and your responses.
Topics
