| 
The New York State Department of Financial Services (DFS) today advised all entities it regulates to prepare for increased risks of cyber attacks resulting from recent global conflicts. The industry letter appears to have been prompted by the entry over the weekend of the United States into the conflict between Israel and Iran. Parts of the letter focused on laws and regulations pertaining to virtual currencies and U.S. sanctions against certain countries. Much of it discussed cybersecurity precautions. “Escalating global conflict significantly elevates cyber risk for the U.S. financial sector, including an increased risk of ransomware attacks and phishing campaigns," the letter said. The department advised all entities to review their cybersecurity programs to ensure full compliance with the state's financial services cybersecurity requirements regulation. They encouraged emphasis on multi-factor authentication (MFA,) management of system administrator accounts, and disabling or securing software that enables a person to remotely access and control a separate workstation. Other measures the department recommended that apply to all entities, including insurance agencies that have limited exemptions from the requirements, include: - Assessing their risks in view of the new threat level.
- Monitoring and assessing risks posed by third-party service providers.
- Testing the ability to fully restore systems from backup copies of data.
- Giving all employees additional cybersecurity awareness training and reminding them of the additional hazards resulting from world events.
In addition, even small agencies should have at least an informal plan for recovering from disasters such as fires, hurricanes, power and network outages, and cybersecurity attacks. This might include assignments of specific tasks to individuals, lists of staff personal phone numbers and email addresses, carrier contact information, and so on. The department also suggested tracking guidance and alerts from government sources such as the Cybersecurity and Infrastructure Security Agency (CISA.) The letter also reminded entities of the requirement to notify DFS of certain cybersecurity incidents and to report them to appropriate law enforcement agencies such as the FBI and CISA. We live in dangerous times where cyber criminals can shut down an insurance agency's business. If you work with a technology consultant on cybersecurity, now would be a good time to check in for advice on how to protect your agency.
|
| 
It is always possible that your agency – or one of the third-party service providers (TPSPs) the agency works with – will be victimized by cyber criminals. If that happens, the New York financial services cybersecurity regulation requires you to notify the state Department of Financial Services (DFS.) While you're attempting to limit and repair the damage, these are some questions that might come up: What is a “cybersecurity incident"? The regulation defines that term in two parts. The first is “cybersecurity event," which has a very broad meaning. It is “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an information system or information stored on such information system." Any of these could be a cybersecurity event: - Someone enters the wrong password three times while trying to log into your network and gets locked out.
- Someone sends your office a phishing email.
- Someone outside your agency calls an employee and asks for their network password.
The DFS is not interested in hearing about most of that stuff. They want to hear about “cybersecurity incidents." These are cybersecurity events that: - Have occurred at your work location, at any company related to your agency by ownership, or at a TPSP. and
- Impact your agency and require you to notify a governmental body such as the state police; or
- Have a reasonable likelihood of materially harming any material part of your normal operations; or
- Result in the deployment of ransomware within a material part of your computer systems.
If it affects you, one of your affiliates, or one of your TPSPs, and it either requires you to notify the authorities, will likely substantially harm any crucial parts of your operations, or results in extortionists shutting you down, you must report it to DFS. When do we have to report the incident? “(A)s promptly as possible but in no event later than 72 hours after determining that a cybersecurity incident has occurred at the covered entity, its affiliates, or a third-party service provider." The clock starts ticking when your office has determined that an incident occurred. That could be when your technology people confirm that your systems were hacked, or it could be when a TPSP informs you that it has suffered a breach. How do we report an incident? The regulation requires the covered entity to make the report electronically on the DFS portal (https://myportal.dfs.ny.gov/). It's the same portal where your agency makes the annual compliance filings and where agencies and individuals submit exemption filings when appropriate. How do we fill out the report? DFS has provided instructions on how to complete it. What happens after we submit the report? If DFS decides to investigate the matter, they may contact your office for additional information. Understand that, if the incident occurred to one of your insurance carriers, any agency significantly impacted by the incident is required to report. That means DFS may receive a large volume of notifications. It is possible that they might not contact every agency that notified them. What happens if we do not report an incident? The regulation states that any “failure to act to satisfy an obligation" is considered a violation. DFS has authority to penalize violators. Anything else we should do? Create the strongest cybersecurity program you can reasonably afford to reduce the odds that you will ever have to make this report. Your time is better spent serving your clients than repairing the damage a cyber-attack can cause. Where can I get more information? Three good sources: |
|
We are happy to announce a new resource to help you comply with New York's financial services cybersecurity regulation - a "frequently asked questions" document.
The
seven-page file provides answers to some of the questions Big I New York members ask most often about the regulation, including:
- Are licensed employees required to make the annual compliance filings?
- How do I get help completing the compliance filing?
- Does my agency have to submit the Notice of Exemption every year?
- Do agency employees have to submit the Notice of Exemption every year?
- If my agency qualifies for the limited exemption, what requirements do we have to meet?
And many more. We encourage you to
review it and save a copy for future reference. There is a link to it on the main page of the
Cybersecurity section of our website.
When it comes to regulatory compliance, Big I New York has your back.
|
| As we mentioned last week, the New York financial services cybersecurity regulation requires all covered entities (including all insurance agencies) to create and maintain an inventory of their information system assets. Entities have until Nov. 1, 2025 to comply with this requirement.
We have developed a Microsoft Excel workbook that will help you meet this requirement. For each listed device, it has fields for several pieces of information including those the regulation specifically mentions (owner, location, classification/sensitivity, support expiration date, recovery time objectives.) Where possible, it uses drop-down menus to make selecting an answer easier. It is currently formatted for up to 100 devices. Should we start to get complaints that this is not enough, we'll update it.
The new workbook is available here. You can always find it by:
- Logging in at www.biginy.org.
- Clicking the Cybersecurity button on the home page.
- Clicking the Compliance Resources image.
- Clicking on "Step 2: Conduct An Internal Agency Risk Assessment."
- Clicking on "Device Inventory."
|
|
Question from a Big I NY member: "Question regarding data retention. In our agency management system (AMS), we retain files as long as the provider does. Is that acceptable? We do so for protection, ie., say we wrote life insurance and fifteen years later the client dies and the company claims some type of misrepresentation from insured on application. We would want all of the backup notes, signed forms, questionnaires. Is this okay? I could not find on your website anything addressing this besides that we need to keep for the required legal periods, say seven years as a minimum, but what about longer?
Also, say a client leaves us, I do not delete their files in the AMS. They may come back and if so, I do not have to develop all the same information again such as address, date of birth, etc., or maybe a coverage issue arises down the road from pollution liability, etc. Am I under any obligation to wipe a client off the AMS after they are no longer a client after say seven years, or am I allowed to retain?"
"(b) As part of its cybersecurity program, each covered entity shall include policies and procedures for the secure disposal on a periodic basis of any nonpublic information identified in section 500.1 (k) (2)-(3) of this Part that is no longer necessary for business operations or for other legitimate business purposes of the covered entity, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained."
Section 500.1(k)(2)-(3) states: "(k) Nonpublic information means all electronic information that is not publicly available information and is: … (2) any information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements: (i) social security number; (ii) drivers' license number or non-driver identification card number; (iii) account number, credit or debit card number; (iv) any security code, access code or password that would permit access to an individual's financial account; or (v) biometric records; (3) any information or data, except age or gender, in any form or medium created by or derived from a health care provider or an individual and that relates to: (i) the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual's family; (ii) the provision of health care to any individual; or (iii) payment for the provision of health care to any individual."
Section 500.13 requires your agency to have policies and procedures for periodically securely disposing of these types of information that are no longer necessary for the agency's operations or other legitimate business purposes. The determination of when the information is no longer necessary is entirely up to you. It could vary from one agency to another, and even within an agency it might vary depending on the type of information it is. The only exceptions are: - Where another law requires you to retain the information (I can't think of an example offhand.)
- Where it's infeasible for you to delete it (for example, some agency management systems leave the agency with no control over data storage.)
As a side note, New York insurance laws and regulations require agencies to retain copies of only three types of documents, and none of them fall under this regulation. They are service fee agreements; premium account records; and producer compensation disclosures, and they must be retained for at least three years. While the law does not require you to retain other types of client records, the E&O attorneys recommend retaining them for at least seven years as a loss control measure because the statute of limitations for suing an agency in New York is six years. See The E&O Report, July 2013: “Because New York law provides that an insured has up to six years from the time when an error or omission occurs in order to commence legal action against an agency or brokerage, we always recommend that every agency or brokerage retain all documents for a period of at least seven years or even longer if possible." The key thing with this section of the regulation is that you must have written policies and procedures for how long you will retain non-public information and how you will securely dispose of it when you don't want or need it anymore. Those policies and procedures are entirely up to you. The sample cybersecurity program the DFS provides contains this content about the data retention requirements: "1. Describe how you dispose of nonpublic information when it is no longer necessary for business operations or for other legitimate business purposes: 2.Describe how long nonpublic information is retained, both generally and for any special categories where the general rule does not apply: ... Examples of secure disposal methods include: shredding paper so nonpublic information cannot be read or reconstructed; destroying or erasing electronic files or media so that non public information cannot be read or reconstructed; and hiring qualified third-party service provider who can provide such secure disposal. More information is available from the U.S. Cybersecurity and Infrastructure Security Agency at https://www.cisa.gov/sites/default/files/publications/DisposeDevicesSafely.pdf.". Just remember, the longer you retain non-public information, the longer you must protect it.
|
| 
All New York regulated financial services companies, including insurance agencies, must implement additional cybersecurity procedures by May 1. These requirements are part of the 2023 amendments the New York State Department of Financial Services (DFS) made to the state's financial services cybersecurity requirements. While most Big I New York member agencies have fewer than eight employees and do not have a staff person known as a “system administrator," some may have one who performs some administration functions. A system administrator has special systems access, allowing them to make security-related changes to the systems. These might include turning access on or off for individuals, configuring firewalls to permit data to enter the system, and related functions. The cybersecurity regulation refers to accounts that grant a person this kind of access as “privileged accounts." If your agency uses privileged accounts for a staff person to make security changes, it must: - Limit the number of them.
- Limit the functions someone with a privileged account can perform to only those necessary for performing their job.
- Limit when an individual can use a privileged account to only those times when they are performing functions that require this access.
Other requirements that agencies must implement by May 1 include: - Reviewing all user access privileges at least annually.
- Removing or disabling all accounts and access that the review shows are no longer necessary.
- Disabling or securely configuring all network software that allows someone (such as a system administrator) to remotely control a device (such as an employee's workstation.)
- Promptly terminating users' access privileges upon their departure from the agency.
- Implementing written password policies that meet current industry standards. This might be a requirement that passwords be twelve or more characters long, contain upper and lower-case letters, at least one number, and at least one special character (such as a question mark.)
Those of you who click the link above to the regulation's text will see a reference to “class A companies." A class A company has at least $20 million in annual revenue and either more than 2,000 employees or more than $1 billion in gross annual revenue. No Big I New York members fit this definition. Many of you may be informally doing some or all these procedures already. They should become part of your agency's cybersecurity policy, the written document of agency policies and procedures designed to protect your systems and non-public data. Last spring, DFS published a new cybersecurity policy template for the businesses it regulates to use. The template is comprehensive, and we encourage all members to use it as a starting point. You will find the section pertaining to the requirements described above under Section V. Access Privileges and Management starting at the bottom of page 4. This is the next-to-last deadline for complying with the regulation's amendments. Agencies have until November 1 to create and manage inventories of the components of their information systems (workstations, laptops, phones, etc.) We will provide guidance on how to create the inventory this fall. For more information: www.biginy.org/cyber NY Cybersecurity Regulation: What Your Agency Needs To Do (Jan. 10, 2025) Another Resource To Help with Cyber Reg Compliance (Feb. 11, 2025)
|
|
We are pleased to announce the creation of another new resource to help independent insurance agencies comply with the New York financial services cybersecurity regulation. The new tool helps agencies that qualify for the
limited exemption identify the requirements that apply to them. It also informs the agency as to which filing it must submit before the April 15 deadline.
Section 500.17(b) of the regulation requires all "covered entities" (New York licensed and chartered companies in the banking, financial services, and insurance industries) to annually submit either a Certification of Material Compliance or an Acknowledgment of Non-Compliance regarding the prior calendar year. The entity must complete and submit the appropriate form on the
New York State Department of Financial Services (DFS) website annually by April 15.
This requirement applies to the business entity only; it does not apply to licensed employees of an agency.
Our new resource provides a checklist of the requirements that apply to limited exempt agencies. The list is in the form of several questions for which the answers are either "yes" or "no." If the head of IT for your agency (and that person may well be the agency principal) can truthfully answer "yes" to all the questions, the agency should submit the Certification of Material Compliance.
On the other hand, if the truthful answer to one or more questions is "no," the agency should complete the Acknowledgement of Non-Compliance.
The checklist is an exclusive benefit for Big I New York members. You can find it on the
Filing Instructions page in the
Cybersecurity section of our website. Because the Cybersecurity section is a benefit that our members pay for, users must log in to the site with their email address and password to access it.
Other resources to help you complete the filing include:
Please be aware that neither the agency nor its licensed employees are required to resubmit the Notice of Exemption on the DFS cyber portal unless their circumstances have changed. If nothing has changed, it is unnecessary to complete and submit this form again. |
| Big I New York has unveiled a new resource to help agencies comply with part of the New York financial services cybersecurity regulation. Specifically, it will make it easier for you to comply with the requirements regarding third-party service providers. You now have one-stop access to information about the cybersecurity practices of large publicly traded insurance carrier groups.
The regulation's Section 500.11 requires all covered entities, including insurance agencies and brokers of any size, to “implement written policies and procedures designed to ensure the security of information systems and nonpublic information that are accessible to, or held by, third-party service providers." (See this flowchart to determine who is a third-party service provider for your agency.) The policies and procedures, which the agency must base on its annual or more frequent risk assessments, must address among other things, “due diligence processes used to evaluate the adequacy of cybersecurity practices of such third-party service providers …" If a third-party service provider has access to your computer systems and data, the regulation requires you to investigate what they're doing to prevent data breaches. (I recorded a 20-minute video about this requirement in 2019.) The most common way entities perform this due diligence is to send third parties a questionnaire like the one we created for you to use. However, as I said in the video, the questionnaire is one way to perform the due diligence; it is not the only way. The text I quoted above does not say anything about a questionnaire. It says the policies and procedures must address “due diligence" without telling you how to do it. Section 500.11 requires each covered entity to establish “minimum cybersecurity practices required to be met by such third-party service providers in order for them to do business with the covered entity." What those minimum practices must be are up to you; the regulation does not set them. For example, you could say that every third-party service provider must meet at least the requirements of the New York regulation. I've said it many times: The good thing about this regulation is it gives entities a lot of leeway on how to comply. The bad thing is it gives entities a lot of leeway on how to comply. You must figure out what works best for you. The New York State Department of Financial Services (DFS) has said that an insurance agency is a third-party service provider to a carrier, and a carrier is a third-party service provider to an agency. This means the agency must perform due diligence on its carriers. Getting a response from a large national carrier to a questionnaire may be futile. Our new resource makes that unnecessary. U.S. Securities and Exchange Commission rules require publicly traded companies to report on the cybersecurity programs as part of their annual 10-K reports. The new list posted in the Cybersecurity section of our website links to those sections of the 10-K reports for thirteen carrier groups, including Travelers, The Hartford, AIG, Erie, Progressive, and others that many Big I New York members represent. After you've decided what your minimum requirements are, download the report for the carrier group you're investigating, compare the contents of that report to your requirements, and decide whether the carrier meets them. If they do not, you then must decide whether to continue doing business with them. The regulation does not require you to stop doing business with them. However, if they ever suffer a breach that affects you or your clients, you should be able to justify a decision to do business with them to the DFS. Companies typically make their annual 10-K reports from late January to late February. The links on the list right now are to the year-end 2023 reports. We plan to update the links in March after they've made the 2024 reports. We encourage you to save yourselves some work and use this information as part of your compliance efforts. You'll find links to the list on the main page at www.biginy.org/cyber and on the Compliance Resources page.
|
| 
January 2025 has brought with it fresh batches of lake effect snow and a new cybersecurity regulation compliance filing season. Sometime between now and April 15, each agency must log into the NYS Department of Financial Services (DFS) cyber portal and complete and submit one of two forms: Please be aware that neither the agency nor its licensed employees are required to resubmit the Notice of Exemption on the DFS cyber portal unless their circumstances have changed. If nothing has changed, it is unnecessary to complete and submit this form again. In November 2023, DFS adopted amendments to the regulation that implemented a number of changes that are being phased in between Nov. 1, 2023 and Nov. 1, 2025. The bulk of these changes impacted larger entities that do not qualify for the limited exemption. More than 90% of Big I New York members were not impacted by those changes. However, there are some requirements that even small agencies had to meet starting in 2024, with others to follow this year. The following items apply to all agencies: 2024 Changes - Risk assessments must now be done annually.
- The agency's senior officer or its governing body (if it has one) must review and approve the written cybersecurity policies and procedures annually.
- Cybersecurity awareness training, including training on social engineering attacks, must be provided to employees annually.
- Multi-factor authentication (MFA) must be implemented for situations where agency staff access the agency's computer system remotely (from home, cars, restaurants, etc.)
2025 Changes - Implement restrictions on system administrator accounts (effective May 1.)
- Implement written policies and procedures for producing and maintaining an asset inventory of the agency's systems (workstations, mobile devices, phones, printers, etc.) (effective Nov. 1.)
Here are answers to some questions you might have: Do I have to file for both the agency and all my licensed employees? No. Your licensed employees should have long ago submitted Notices of Exemption to the department indicating that they are covered by your cybersecurity program. That makes them exempt from having to complete and submit these forms. Is this something new? No. The first Certification of Compliance was due by February 15, 2018. In 2020, the department pushed the filing deadline back to April 15 (it was actually later that year because of the pandemic, but it is now permanently April 15.) The Acknowledgment of Non-Compliance requirement took effect at the end of 2023. DFS expected entities who may have been out of compliance to complete and submit that form last year. How do I know what sections of the regulation apply to me? If your agency is large enough to not qualify for an exemption, you must comply with all of it. More than 90% of Big I New York members qualify for the limited exemption, and they must comply with only some sections. You can find a list of those sections in our post of Dec. 4, 2023. What do I have to do to comply? We have a comprehensive Cybersecurity section on our website with plenty of content to help an agency comply. The most important parts of that section are the Filing Instructions and Compliance Resources pages. Other pages provide links to the relevant laws in other states, vendors who can assist you, and checklists. Can you help me complete the filing? We encourage you to watch the recording of a webinar Tim Dodge presented last April in which he went step-by-step through the process. Dozens of members attended that webinar and completed their filings in real time. The procedure has not changed since then, so it should be a useful aid for you. Members who wish to have Big I New York staff members provide one-on-one assistance with the filing may obtain that assistance, but there is an additional monetary charge. Why is the State of New York doing this to me? Section 500.0 of the regulation states in part, “Cybercriminals can cause significant financial losses for DFS regulated entities as well as for New York consumers whose private information may be revealed and/or stolen for illicit purposes. The financial services industry is a significant target of cybersecurity threats. … Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances. Accordingly, this regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities." Why are insurance agencies being singled out? They're not. The requirements of this regulation apply to every New York licensed or chartered person or entity in the financial services industry. That includes agencies, carriers, banks, credit unions, investment companies, and so on. It also applies to non-residents who hold New York licenses or charters. Do other states require this? New York was the first state to adopt a cybersecurity regulation for financial services, but at least 22 other states (Connecticut among them) have enacted insurance data security laws based on a model law published by the National Association of Insurance Commissioners (NAIC.) To our knowledge, however, New York is the only state that requires insurance producers to submit annual compliance filings. Where can I find more information? Three excellent resources are: Big I NY Cybersecurity Resources Big I NY Newsfeed – Cyber section NYS DFS Cybersecurity Resources For answers you can't find there, contact Tim Dodge at 800-962-7950 extension 229 or at tdodge@biginy.org.
|
|
The New York State Department of Financial Services (DFS) has cautioned the businesses it regulates that some remote technology workers may be secretly acting on behalf of the North Korean government. DFS issued the alert in a November 1 letter. Big I New York members who hire virtual assistants or other remote workers should take precautions to avoid hiring one of these individuals.
According to the letter, information technology (IT) workers operating on behalf of North Korea have used several tactics to get jobs with U.S. companies. These include posing as individuals from the U.S. or other countries, using false or stolen identities, or buying identities from U.S. based individuals.
The individuals often use virtual private networks (VPNs) to make it appear that they reside in the U.S. when they apply for remote jobs. Notably, they may also refuse to join in-person or video conference meetings. They may also have their new employer's computer equipment shipped to alternative locations just before they start work. This permits U.S. based co-conspirators to access the equipment.
DFS said that the Federal Bureau of Investigation (FBI) and the U.S. Department of State have issued advisories regarding these threats.
The letter advised regulated entities to:
- Make senior management, IT personnel, and human resources departments aware that this could happen.
- Conduct a thorough background check during the hiring process, possibly including live or video interviews.
- Track the locations of company-owned laptops and cellphones to ensure that they are delivered and remain at the residence address the employee provided.
- Limit remote employees' access to systems.
- Notify law enforcement and regulators promptly if they conclude that they've been victimized by one of these schemes.
The complete text of the letter, including links to the FBI and State Department alerts and the web address for reporting incidents, is on the DFS website.
|
Follow javascript: SP.SOD.executeFunc('followingcommon.js', 'FollowDoc', function() { FollowDoc('{ListId}', {ItemId}); }); 0x0 0x0 ContentType 0x01 1100 Item Audit Detail /_layouts/15/images/GORTL.GIF /newsfeed/_layouts/15/AuditingLog/ItemAudit.aspx?ItemId={ItemId}&ListId={ListId} 0x0 0x40000000 ContentType 0x01 300 Compliance Details javascript:if (typeof CalloutManager !== 'undefined' && Boolean(CalloutManager) && Boolean(CalloutManager.closeAll)) CalloutManager.closeAll(); commonShowModalDialog('{SiteUrl}'+
'/_layouts/15/itemexpiration.aspx'
+'?ID={ItemId}&List={ListId}', 'center:1;dialogHeight:500px;dialogWidth:500px;resizable:yes;status:no;location:no;menubar:no;help:no', function GotoPageAfterClose(pageid){if(pageid == 'hold') {STSNavigate(unescape(decodeURI('{SiteUrl}'))+
'/_layouts/15/hold.aspx'
+'?ID={ItemId}&List={ListId}'); return false;} if(pageid == 'audit') {STSNavigate(unescape(decodeURI('{SiteUrl}'))+
'/_layouts/15/Reporting.aspx'
+'?Category=Auditing&backtype=item&ID={ItemId}&List={ListId}'); return false;} if(pageid == 'config') {STSNavigate(unescape(decodeURI('{SiteUrl}'))+
'/_layouts/15/expirationconfig.aspx'
+'?ID={ItemId}&List={ListId}'); return false;}}, null); 0x0 0x1 ContentType 0x01 898
|
|
|