On July 29th, the NYSDFS released a pre-proposed draft of forthcoming amendments to 23 NYCRR 500, New York's sweeping cyber regulation.
The DFS proposes a wide range of changes to the regulation, including but not limited to:
- Require covered entities to strictly limit the number of “privileged accounts", aka those able to perform security-relevant functions
- More specific requirements for entity risk assessments, required annually and when there is a material change to risk, as opposed to “periodically."
- Possibly requiring employees of covered entities to develop their own third-party service provider policies. We have requested clarification on this as it would have troubling implications for individual agents.
- Expand the definition of third-party service providers to include governmental entities.
- Certification of compliance will have to be backed up by internal documentation of compliance.
- If an entity was not in compliance at the end of the prior year, they will have to say so, identify the provisions with which they are not in compliance, and identify the areas that require improvement.
- The criteria for an entity to qualify for the limited exemption has been broadened:
|Fewer than 10 employees||Fewer than 20 employees|
|Less than $5 million in New York revenue||Less than $5 million in New York revenue|
|Less than $10 million in total assets||Less than $15 million in total assets|
- Individual insurance agents (those with licenses carrying the LA or PC prefixes) whose licenses are in inactive status (because no carriers have appointed them) will be completely exempt from the regulation's requirements unless they otherwise qualify as covered entities. For example, a person with an inactive PC license and who also has a valid property-casualty broker (BR) license would not be exempt.
- The enforcement section has been significantly expanded. A single act or single failure to act to satisfy an obligation required by the regulation will be deemed a violation of it. These include but are not limited to failure to protect systems or information due to noncompliance. They also include “the failure to comply for any 24-hour period with any section or subsection of this Part."
This is the first step in the process of amending the cyber regulation; the department will accept comments on this draft until August 18th, then release a proposed amendment for formal comments. After the comment period, a final draft of the amendments will be adopted.
The proposed amendments state that they will be effective immediately upon publication of the notice of adoption. However, compliance will be required later – for most of the changes, compliance will be required within 180 days of the effective date. Compliance with the new cybersecurity event reporting requirements will be required within 30 days, while compliance with the changes to the access privileges, multi-factor authentication (MFA) and training and monitoring requirements will be required one year from the effective date.
Big I NY Has Your Back:
Big I NY is carefully reviewing the proposed changes and will submit comments to the DFS. We will keep members apprised of important developments. Please contact Scott Hobson at SHobson@BigINY.org with comments or questions.
In the five and a half years since the New York State Department of Financial Services implemented its Cybersecurity Requirements For Financial Services Companies regulation, I had yet to hear of an insurance producer being penalized for violations. Until this week.
As is my habit, I checked the department's website first thing Monday morning and found a news release they had issued last Friday, June 24. The release announced a $5 million penalty against an insurance producer for violations of the regulation.
I should mention that this wasn't any ordinary insurance producer. It was Carnival Cruise Line, the high-profile provider of ocean cruises whose annual revenue shrank to $3.5 billion in the 12 months ending in February 2022.
Apparently, Carnival had New York producer licenses to sell life insurance, accident and health insurance, and variable life/variable annuities insurance. I say "had" because the department's news release reported that the company had surrendered its licenses.
According to the news release, Carnival suffered four cybersecurity events 2019 and 2021, including two ransomware attacks. "These Cybersecurity Events involved the unauthorized access of the companies’ information systems, leading to the exposure of customers’ sensitive, personal data," the statement said.
DFS found that the company had violated five sections of the regulation:
- 500.12, which required them to implement multi-factor authentication
- 500.2, which required them to include in their cybersecurity program a plan to meet reporting obligations to DFS
- 500.17(a), which required them to report a significant cybersecurity event to DFS within 72 hours of determining that it had occurred (the first event was not reported within that timeframe)
- 500.14, which required them to implement policies and procedures designed to detect unauthorized access or use of non-public information
- 500.17(b), which required them to annually submit an accurate certification of compliance with the regulation The department determined that (the certifications filed for calendar years 2018 through 2018 were "improper" because of the missing safeguards)
Insurance agencies and brokerages that qualify for the regulation's limited exemption are exempt from the multi-factor authentication and system monitoring requirements. However, the event reporting and certification of compliance requirements apply to all individual and entities who have New York insurance licenses. Any agency that is not complying with those requirements could also face DFS penalties, though likely not to the tune of $5 million.
The takeaway: DFS is enforcing this regulation. To date, the enforcement actions they've publicized have been against large entities - lenders, insurance carriers, and now a multi-billion dollar travel business. New York licensed agents and brokers should not assume that big targets are the only targets. All "covered entities" (those with New York insurance or financial services licenses or banking charters) are expected to comply with requirements that apply to them. We encourage you to take the obligations seriously.
For more information on how your agency or brokerage can comply with the regulation:
PropertyCasualty360.com has a post up on its site today that features a question-and-answer session with Troy Stairwalt, chief information security officer of Westfield Insurance. I encourage you to read the entire article, but here are some excerpts I want to emphasize:
"Here are three common ways an agency is most likely to be caught in a cyberattack:
- Supply chain management
- Third-party vendors
All three represent real cyberthreats to agencies for several reasons including:
- Increase in cyberthreat activity;
- Increasing regulatory requirements and repercussions; ...
- New requirements simply to be eligible to apply for cyber insurance coverage. ...
Industry, state and federal regulations have been — and will become — increasingly onerous in response to cyberthreat level activity, which incidentally, since the pandemic, has consistently been at all-time highs year-over-year.
This means agencies will have to adhere to regulations or face repercussions, including fines and penalties. These regulations will require agencies to know where their sensitive data resides and who has access to it. Agencies will also need to show that they have implemented reasonable and prudent controls to effectively manage the risk and demonstrate adherence to regulatory requirements. Multi-factor authentication is simply table stakes in 2022. Expect those stakes to increase. ...
The first thing agencies should know is that cybersecurity does not have to break the bank. There are cost-effective ways to protect against a breach. ...
- (Agencies) are more likely to get caught up in a net as collateral damage, versus directly targeted. ...
- One of the most-effective ways to mitigate the risk is security awareness. Train employees so they’re not susceptible to social engineering attacks. Phishing and voice and/or text 'phishing' scams are all too prevalent in 2022. ...
If agencies don’t have multi-factor authentication implemented, it’s unlikely they will even be considered for cyber insurance coverage. ..."
There's a lot more, and I again encourage you to read the entire piece. Suffice to say that, even if states were not implementing insurance data security laws and regulations (Kentucky became the 21st state to do so last month,) cybersecurity would not be optional.
To learn more about New York's Cybersecurity Requirements For Financial Services Companies regulation, consider purchasing and downloading Big I New York's CE On Demand course, 10 Things to Know about the NY Cybersecurity Regulation. If you pass the accompanying exam, you will receive two hours of New York continuing education credit.
Also, network security consulting firm Motiva offers Big I New York a free, no obligations cybersecurity audit. Contact them to learn more about what you can do to protect your computer systems and your clients' private information.
The New York State Department of Financial Services (DFS) is holding a live virtual symposium on Tuesday, March 29 regarding cybersecurity. The free event will be streamed over WebEx. The agenda for the session includes:
- A panel discussion on the future of cybersecurity regulation in New York and elsewhere
- Modernization of cybersecurity supervision
- The key cyber risks of 2022.
The event will run from 10:00 am to 12:30 pm. Advance registration is required and is available inthe Cybersecurity Resources section of the DFS website.
The New York State Department of Financial Services (DFS) is urging precautions following Russia’s invasion of Ukraine last week. In a Feb. 25 letter to all regulated people and entities, DFS provided detailed guidance. We encourage all of you to:
- Review the contents of the letter; and
- Implement those measures that are appropriate for firms of your size and scope of operations.
This is particularly necessary if you do business with companies in either of the two countries.
Writing that the “Russian invasion of Ukraine significantly elevates the cyber risk for the U.S. financial sector,” Superintendent Adrienne Harris said that regulated entities should:
- Review their cybersecurity programs to ensure that they are adequately protecting computer networks and non-public information. Entities should pay “particular attention to core cybersecurity hygiene measures” such as
- Multi-factor authentication (MFA);
- Management of access privileges;
- Management of vulnerabilities.
The DFS’s Cybersecurity Requirements For Financial Services Companies regulation exempts small entities from some of its requirements. Insurance agencies that qualify are exempt from the requirement to implement MFA. However, DFS encourages all entities to implement it anyway. Big I New York partner Motiva is available to assist agencies interested in implementing MFA. They also offer complimentary cybersecurity audits to Big I New York member.
- Plan for how they will respond to cybersecurity incidents and how their businesses will continue operating after an attack.
- Implement DFS’s ransomware guidance from last summer, including making sure they have protected data backups available.
- Given “the realistic threat of extended outages and disruption,” re-evaluate plans to maintain essential services, protect critical data and preserve customer confidence.
- Test data backups before an attack occurs to ensure that restoration will work.
- Remind all employees of the importance of cybersecurity.
The letter also recommended that all entities:
- Monitor guidance and alerts from the federal government and private organizations;
- Implement guidance explained in three linked documents;
- Increase “measures to monitor, inspect, and isolate traffic from Ukrainian or Russian offices and service providers, including over virtual private networks …” if they do business in Ukraine or Russia.
Because of the invasion, the federal government has imposed several economic sanctions against Russia and people and entities based there. The letter recommended subscribing to email updates from the U.S. Treasury Department regarding financial entities on the Specially Designated Nationals (SDN) list. The SDN lists people and entities against whom the U.S. government has imposed economic sanctions. U.S. law prohibits businesses from doing business with entities on the list unless the Treasury Department has otherwise authorized them to do so by issuing special licenses.
The letter addressed many other practices. It recognized that this isn’t one-size-fits-all advice: “The Department understands that not every measure applies to every regulated entity, however in the interest of transparency, the Department is sharing this vital information with all regulated entities … The Department will provide further guidance to regulated entities as necessary.”
A guest post by Cowbell Cyber
On February 5, exactly one year will have passed since the NY Department of Financial Services published its Cyber Insurance Risk Framework. This Framework outlines seven best practices relevant for property/casualty insurers and should be applied on an individualized basis to insurers depending on their respective amount of risk.
In tandem with the rise of remote and hybrid workplaces, cyber criminals have evolved in their numbers and sophistication. This is evident when one looks at the sheer increase in ransomware attacks, cyber crimes, and other incidents. Though these trends in cybersecurity are acknowledged, society still has a great deal of ground to make up when it comes to awareness and prevention, not to mention recovery. Both the cybersecurity and cyber insurance industries can benefit from one another. The Framework recognizes the interdependence of cyber risk with cyber insurance for both underwriters and policyholders; so, too, does Cowbell Cyber.
Take any best practice outlined in the Framework, and then see that Cowbell Cyber is already well aligned with it.
1. Establish a Formal Cyber Insurance Risk Strategy, and 2. Manage and Eliminate Exposure to Silent Cyber Insurance Risk
- Cowbell's AI-powered continuous underwriting platform maps threats and risk exposure to coverages and enables agents to deliver policies tailored to the unique needs of each customer in less than 5 minutes.
- By design, Cowbell offers standalone cyber insurance policies. We believe this is the only way a business can clearly understand the type of cyber risk for which they are covered.
3. Evaluate Systemic Risk, and 4. Rigorously Measure Insured Risk
6. Obtain Cybersecurity Expertise
- When it comes to evaluating risk, insurers must consider the organization's third-party vendors, its suppliers and other service providers as well as their general cybersecurity posture. Cowbell Factors are the set of proprietary risk ratings that use inside-out and outside-in data to define an organization's risk profile in comparison with Cowbell's risk pool of 22 million US accounts.
- We continue to refine our risk rating model to account for the complexity of cyber risk and cyber threats. Recognizing that bad actors exploit software vulnerabilities to penetrate organization networks, Cowbell added the Software Supply Chain Cowbell Factor to its set of proprietary risk ratings.
5. Educate Insureds and Insurance Producers
- An organization's risk rating determined by Cowbell Factors can be influenced by engagement with and subsequent completion of internal cybersecurity awareness training. By prioritizing and incentivizing cybersecurity education, Cowbell promotes taking preventative measures and quells worries about business continuity with its emphasis on closed-loop risk management.
7. Require Notice to Law Enforcement
- On its internal team, Cowbell has an array of subject matter experts both on the insurance side and the cybersecurity side. The Cowbell team at large is also required to complete cybersecurity awareness training, just as Cowbell's policyholders are.
- Cowbell prides itself on offering a closed-loop approach to risk management, meaning that we bundle resources with policies to identify, qualify, quantify, mitigate, and prevent risk: assess, insure, and improve. For customers, improvement involves understanding and internalizing best practices when it comes to cyber incidents that occur, such as crafting an effective incident response plan.
One of the reasons Cowbell Cyber is so cutting-edge is that we understand that successful cyber insurance policies depend on establishing strong cyber hygiene within an organization and outside of it (i.e., throughout the supply chain and across all third parties). This is of particular importance to Cowbell Cyber because we focus on businesses with revenue up to $250 million.
These are small- to mid-sized enterprises (SMEs) that may not inherently have the resources to prioritize cybersecurity awareness; yet SMEs are part of the backbone of many critical supply chains. Furthermore, a cyber incident at a small business can lead to damaging business interruptions for an entire sector.Cowbell's cyber insurance policies are available in the state of New York, following all above principles as stated by NY DFS. All businesses can obtain a cyber risk rating from Cowbell Cyber, regardless of whether they are insured with us. Insurance agents and brokers who want to get appointed to distribute Cowbell's standalone cyber insurance can visit our website.
Now that the calendar has turned the page and left 2021 in the rearview mirror, the window is open for business entities regulated by the New York State Department of Financial Services to submit the annual certification of compliance with the
cybersecurity regulation. The requirements have not changed (other than a later deadline) since the regulation first took effect in 2017, but here's a reminder of what does and does not have to be done:
- Business entities (agencies, brokerages, insurers, banks, credit unions, etc.) must visit the
DFS cybersecurity portal and submit the certification on or before
April 15, 2022. DFS pushed that deadline back 45 days in
2020 because of the pandemic, but it reverted back to April 15 last year and remains that date.
- If you don't remember how to submit the certification, refer to these:
- The regulation does not require licensed employees of an agency or brokerage to submit the certification.
- The regulation does not require licensed employees to re-submit a
notice of exemption unless they have changed employers.
- DFS does not offer a way for the public to determine the exemption a specific licensed individual submitted.
- If you have a license in your personal name and want to find out what exemption you submitted, we suggest you write to firstname.lastname@example.org, provide your license number, and ask for details on your exemption.
Every resource we have on compliance with this regulation can be found at
www.biginy.org/cyber and in the
News section of this website.
The federal government is warning that a newly-discovered computer software vulnerability poses a major threat to the security of computer networks. We urge all members to address this threat immediately with either their internal information technology staffs or with qualified technology consultants.
Federal government agencies, including the National Security Agency and the Department of Homeland Security announced the discovery of the vulnerability on Dec. 10. Here is what you need to know:
The vulnerability lies in the Log4j software library, written in the Java programming language and created by the Apache Software Foundation. The Apache Software Foundation is not a company; it is a volunteer community of hundreds of thousands of people who build "open source" software products that are free for organizations to use and are constantly being modified by the community. Think of it as content in the public domain that anyone with an interest can modify (Wikipedia is an example of this.) Open source software created by volunteers is very common in the technology industry. For example, the Linux operating system has always been developed and maintained this way.
The Log4j software library records network security and performance information. Many software vendors incorporate the library into their products such as websites, applications and application services. It is quite likely that some of the software your staffs use every day is built around Log4j.
The government agencies announced on Dec. 10 that they were "responding to active, widespread exploitation" of the vulnerability. They warned that, "An unauthenticated remote actor could exploit this vulnerability to take control of an affected system." (emphasis added) In short, if your software has this vulnerability, a criminal could seize control of your network and cripple your ability to do business.
Since Dec. 10, Apache has published three software patches to address the problem. Software developers who use Log4j are likely applying the patches and making updates to their software available to users like you. If you are notified that a software update is available, it is probably a response to this threat and you should install the update promptly.
The New York State Department of Financial Services (DFS) advised on Dec. 17 that "All regulated entities should promptly assess risk to their organization, customers, consumers, and third party service providers based upon the evolving information and take action to mitigate risk." Translation: Find out how big a threat this is to your operation, customers and vendors, and do something about it. If your agency is large enough to have dedicated IT staff, this should be their focus today. Most of you are not large enough to afford or need an IT department. In that case, you should contact a computer network consultant as soon as possible to get advice on how to proceed. Any qualified consultant will be very familiar with this problem.
While this alert came from the New York regulators, this is not a New York specific issue. All members in Connecticut should take similar actions, even those who are exempt from the Connecticut Insurance Data Security Law. This is not a matter of a government mandate; this is a threat that could stop you from doing business.
The goverment agencies have technical information on this threat available on a dedicated website. Much of this information will not be clear to you, but it will be to your IT experts. We encourage you to direct them to that site, take appropriate actions as soon as possible, and monitor the site for further updates to the situation.
Lastly, if you are a New York agency or brokerage and you determine that someone has used this vulnerability to break into your network, the Cybersecurity Requirements For Financial Services Companies regulation requires you to report that to DFS within 72 hours of your determining that it has "a reasonable likelihood of materially harming any material part" of your normal operations. You can do so on the portal on the DFS website.
If you are a Connecticut agency or brokerage who has made the same determination, and you are subject to the state Insurance Data Security Law, you must notify the state Department of Insurance within three business days if you believe consumer information has been exposed, or if you believe it will affect more than 250 state residents and must be reported to the federal or state governments. The DOI has created a form that must be completed and emailed back to them if this happens.
Under current law, Connecticut agencies with fewer than 20 employees (including independent contractors) "having access to the nonpublic information used by such licensee or in such licensee's possession, custody or control" are exempt from the law. That number drops to 10 on Oct. 1, 2022.
The New York State Department of Financial Services (DFS) is urging the entities it regulates to implement multi-factor authentication (MFA) in their cybersecurity programs, regardless of their size. The statement came in an industry letter posted to the department's website on Dec. 7. If your agency is not already using MFA, you may want to consider implementing it soon.
While stopping short of amending the Cybersecurity Requirements For Financial Services Companies regulation to require all entities it regulates to implement MFA, the letter declared, "Effective implementation of the Regulation's MFA requirement is one of the most potent ways to reduce cyber risk."
MFA is "an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a (virtual private network.)" It typically requires a user to enter a password followed by a special code delivered to the user via a phone text message or a smartphone application such as Google Authenticator. By adding an extra login credential, it reduces the opportunities for potential bad actors to infiltrate the organization's computer network.
Section 500.12 of the cybersecurity regulation requires "covered entities" to "use effective controls, which may include multi-factor authentication or risk-based authentication, to protect against unauthorized access" to their systems and data. However, Section 500.19(a), which sets the criteria for a limited exemption from the regulation's requirements, exempts small entities (typically small insurance agencies and brokerages) from Section 500.12's requirements. Consequently, many agencies that qualify for the limited exemption have not implemented MFA.
The DFS letter pointed out that in 2020 almost one out of every four small businesses suffered cyber-attacks, incurring sizeable financial losses, damaged reputations, and increased cyber insurance premiums. The letter cited a recent survey indicating that the cost of implementing MFA is only $33 per employee, making it a cost-effective tool to reduce cyber risk.
If you are not currently using MFA, we encourage you to carefully consider it. Big I New York has used MFA for employees and third parties to remotely access its network for several years. The DFS letter linked to an online small business toolkit to help exempt entities with MFA. Big I New York members can also access the cybersecurity services of Motiva at a discount.
A guest post by Relay Platform.
Cyber insurance has faced its share of hard bumps over the past few years. Following an unrelenting tide of cyber security claims and a subsequent spike in rates and coverage restrictions, cyber insurance has become a trying market for insurance brokers to say the least. And with cyber criminal activity showing no sign of waning, the trend is likely to continue.
To weather the storm, brokers need to be innovative in order to compete. In the digital age adopting the right technologies has become synonymous with embracing the right technologies. In this article, we'll take a look at the new breed of insurtech technology available today and how brokers can use it to survive and thrive in this difficult market.
Insurtech: Old Meets New
Before we fully dive into the concept of insurtech, let's first take a look at the two industries that converged to create this new technology and their divergent core values: insurance and tech.
Insurance, for the most part, has always been a very slow and steady industry that is typically wary of quick change. It's also an industry highly regarded for putting people and relationships at the core of its identity. This value of relationships enables the industry to deliver first class customer service — a deliverable that's virtually synonymous with the industry.
On the flipside the tech industry, famed for the lightning pace at which it moves, holds efficiency at the core of what it does. Efficiency allows it to conceptualize, iterate, and produce at speeds that keep it competitive in the constantly evolving digital realm.
Insurance + Technology
|Insurance Industry||Technology Industry|
- Pace: Slow & Steady
- Core Value: Relationships
- Pace: Instant!
- Core Value: Efficiency
Finding Common Ground
So how do we strike a balance between these seemingly polar opposite industry verticals of insurance and technology? The answer lies in finding a common ground between the pace and core values of each. This is particularly important when it comes to evaluating a potential insurtech platform. For example:
- Speed (Quick and Accurate): Take a look at the speed and efficiency goals you may have for your brokerages. Is there a way to shift yourself from a 'slow and steady' pace to a more ramped up pace that will help increase your efficiency without compromising your standard of accuracy?
- Core Values (Relationships strengthened by Technology): 'Disruption' is a concept often referenced when discussing the tech industry. Case study after case study illustrates the power of tech to enter a new industry and 'disrupt' it for the better. While disruption can certainly lead to innovation, we as an industry must also be cautious when injecting tech into our practices. As mentioned above, relationships sit at the very core of the insurance industry. When introducing tech be sure to look for platforms and partnerships that will help to enhance those relationships through better customer service, ease of transactions, and transparency.
Overall, when balance is achieved between the divergent speed and core values of insurance and tech the results can be remarkable;paving the way for innovative products and first-class servicing that is designed for the digital age.
Relay Platform - Bridging Insurance and Tech
As an emerging leader in Insurtech innovation, Relay has gained immediate industry credibility due to our depth of expertise in both insurance and tech and our passion to energize both sides of these two exciting industries. Through our platform, Relay, empowers brokers to discover their edge in the digital era by delivering superior customer service with increased efficiency and accuracy across all lines of coverage and all complexities of risk. Some key differentiators that elevate Relay above the competition:
We are A Tech Partner, Not a Wholesaler: At Relay we believe strongly in remaining a neutral insurtech provider that enables and supports your carrier and wholesale distribution. We have former brokers on staff who are very passionate about not creating channel conflicts that would complicate your wholesale broker relationships by confusing broker of record appointments, overriding carrier relationships, complicating renewal and claim servicing, and possibly putting entire books of business at risk in the event of a potential acquisition.
- Quote to Bind Efficiencies: Other competing platforms in our space have gone the route of not wanting to burden the brokers to collect underwriting information because it takes too much time. Therefore they are designed to ask minimal info in an effort to get some rough estimate of final pricing on quotes which are no better than non-binding indications.
- The problem with this approach is that these indications are starting to not stick after the full set of underwriting questions come back so that leaves the broker in a bad situation that actually adds more time. Relay does things differently. We've tackled a larger set of questions up front because we have the working knowledge of what will be ultimately required to bind coverage. We have designed features to help brokers move through the submission process more efficiently leading to BINDABLE quotes in hand and not just rough indications. Additionally we have built our functions in our system to triage underwriting referrals as well as declination scenarios.
- Meeting the Market Where They Are At: While API's are the future of insurance quoting and we actively engage with API enabled capacity providers, the fact is that many carriers and MGAs do not have functional API technology at this current time. Our platform has thoughtfully integrated functionality to continue to submit, quote and propose quote options from both API and Non-API integrated capacity providers so that we can support a broker's entire book and trading relationships. A true one stop solution!
There are many more differentiating features here at Relay. Please contact us today for a live demo of our platform and a consultation of how our BrokerTech solutions can elevate your business!
Author Bio: Anne Hasenstab, VP of Cyber and Executive Risk, Relay Platform
Anne is the Vice President of Cyber & Executive Risk for Relay Platform. Her 20+ year career spans both public and private company exposures on the underwriting and brokerage sides of the insurance industry. Anne began her career at Chubb in Chicago as an executive protection underwriter and later held various management roles focusing on D&O, EPL, Professional Liability, and Cyber with firms such as Gallagher, Marsh, Travelers and most recently Ward Insurance, an independent agency in Portland, OR.