Now that the calendar has turned the page and left 2021 in the rearview mirror, the window is open for business entities regulated by the New York State Department of Financial Services to submit the annual certification of compliance with the
cybersecurity regulation. The requirements have not changed (other than a later deadline) since the regulation first took effect in 2017, but here's a reminder of what does and does not have to be done:
- Business entities (agencies, brokerages, insurers, banks, credit unions, etc.) must visit the
DFS cybersecurity portal and submit the certification on or before
April 15, 2022. DFS pushed that deadline back 45 days in
2020 because of the pandemic, but it reverted back to April 15 last year and remains that date.
- If you don't remember how to submit the certification, refer to these:
- The regulation does not require licensed employees of an agency or brokerage to submit the certification.
- The regulation does not require licensed employees to re-submit a
notice of exemption unless they have changed employers.
- DFS does not offer a way for the public to determine the exemption a specific licensed individual submitted.
- If you have a license in your personal name and want to find out what exemption you submitted, we suggest you write to email@example.com, provide your license number, and ask for details on your exemption.
Every resource we have on compliance with this regulation can be found at
www.biginy.org/cyber and in the
News section of this website.
The federal government is warning that a newly-discovered computer software vulnerability poses a major threat to the security of computer networks. We urge all members to address this threat immediately with either their internal information technology staffs or with qualified technology consultants.
Federal government agencies, including the National Security Agency and the Department of Homeland Security announced the discovery of the vulnerability on Dec. 10. Here is what you need to know:
The vulnerability lies in the Log4j software library, written in the Java programming language and created by the Apache Software Foundation. The Apache Software Foundation is not a company; it is a volunteer community of hundreds of thousands of people who build "open source" software products that are free for organizations to use and are constantly being modified by the community. Think of it as content in the public domain that anyone with an interest can modify (Wikipedia is an example of this.) Open source software created by volunteers is very common in the technology industry. For example, the Linux operating system has always been developed and maintained this way.
The Log4j software library records network security and performance information. Many software vendors incorporate the library into their products such as websites, applications and application services. It is quite likely that some of the software your staffs use every day is built around Log4j.
The government agencies announced on Dec. 10 that they were "responding to active, widespread exploitation" of the vulnerability. They warned that, "An unauthenticated remote actor could exploit this vulnerability to take control of an affected system." (emphasis added) In short, if your software has this vulnerability, a criminal could seize control of your network and cripple your ability to do business.
Since Dec. 10, Apache has published three software patches to address the problem. Software developers who use Log4j are likely applying the patches and making updates to their software available to users like you. If you are notified that a software update is available, it is probably a response to this threat and you should install the update promptly.
The New York State Department of Financial Services (DFS) advised on Dec. 17 that "All regulated entities should promptly assess risk to their organization, customers, consumers, and third party service providers based upon the evolving information and take action to mitigate risk." Translation: Find out how big a threat this is to your operation, customers and vendors, and do something about it. If your agency is large enough to have dedicated IT staff, this should be their focus today. Most of you are not large enough to afford or need an IT department. In that case, you should contact a computer network consultant as soon as possible to get advice on how to proceed. Any qualified consultant will be very familiar with this problem.
While this alert came from the New York regulators, this is not a New York specific issue. All members in Connecticut should take similar actions, even those who are exempt from the Connecticut Insurance Data Security Law. This is not a matter of a government mandate; this is a threat that could stop you from doing business.
The goverment agencies have technical information on this threat available on a dedicated website. Much of this information will not be clear to you, but it will be to your IT experts. We encourage you to direct them to that site, take appropriate actions as soon as possible, and monitor the site for further updates to the situation.
Lastly, if you are a New York agency or brokerage and you determine that someone has used this vulnerability to break into your network, the Cybersecurity Requirements For Financial Services Companies regulation requires you to report that to DFS within 72 hours of your determining that it has "a reasonable likelihood of materially harming any material part" of your normal operations. You can do so on the portal on the DFS website.
If you are a Connecticut agency or brokerage who has made the same determination, and you are subject to the state Insurance Data Security Law, you must notify the state Department of Insurance within three business days if you believe consumer information has been exposed, or if you believe it will affect more than 250 state residents and must be reported to the federal or state governments. The DOI has created a form that must be completed and emailed back to them if this happens.
Under current law, Connecticut agencies with fewer than 20 employees (including independent contractors) "having access to the nonpublic information used by such licensee or in such licensee's possession, custody or control" are exempt from the law. That number drops to 10 on Oct. 1, 2022.
The New York State Department of Financial Services (DFS) is urging the entities it regulates to implement multi-factor authentication (MFA) in their cybersecurity programs, regardless of their size. The statement came in an industry letter posted to the department's website on Dec. 7. If your agency is not already using MFA, you may want to consider implementing it soon.
While stopping short of amending the Cybersecurity Requirements For Financial Services Companies regulation to require all entities it regulates to implement MFA, the letter declared, "Effective implementation of the Regulation's MFA requirement is one of the most potent ways to reduce cyber risk."
MFA is "an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a (virtual private network.)" It typically requires a user to enter a password followed by a special code delivered to the user via a phone text message or a smartphone application such as Google Authenticator. By adding an extra login credential, it reduces the opportunities for potential bad actors to infiltrate the organization's computer network.
Section 500.12 of the cybersecurity regulation requires "covered entities" to "use effective controls, which may include multi-factor authentication or risk-based authentication, to protect against unauthorized access" to their systems and data. However, Section 500.19(a), which sets the criteria for a limited exemption from the regulation's requirements, exempts small entities (typically small insurance agencies and brokerages) from Section 500.12's requirements. Consequently, many agencies that qualify for the limited exemption have not implemented MFA.
The DFS letter pointed out that in 2020 almost one out of every four small businesses suffered cyber-attacks, incurring sizeable financial losses, damaged reputations, and increased cyber insurance premiums. The letter cited a recent survey indicating that the cost of implementing MFA is only $33 per employee, making it a cost-effective tool to reduce cyber risk.
If you are not currently using MFA, we encourage you to carefully consider it. Big I New York has used MFA for employees and third parties to remotely access its network for several years. The DFS letter linked to an online small business toolkit to help exempt entities with MFA. Big I New York members can also access the cybersecurity services of Motiva at a discount.
A guest post by Relay Platform.
Cyber insurance has faced its share of hard bumps over the past few years. Following an unrelenting tide of cyber security claims and a subsequent spike in rates and coverage restrictions, cyber insurance has become a trying market for insurance brokers to say the least. And with cyber criminal activity showing no sign of waning, the trend is likely to continue.
To weather the storm, brokers need to be innovative in order to compete. In the digital age adopting the right technologies has become synonymous with embracing the right technologies. In this article, we'll take a look at the new breed of insurtech technology available today and how brokers can use it to survive and thrive in this difficult market.
Insurtech: Old Meets New
Before we fully dive into the concept of insurtech, let's first take a look at the two industries that converged to create this new technology and their divergent core values: insurance and tech.
Insurance, for the most part, has always been a very slow and steady industry that is typically wary of quick change. It's also an industry highly regarded for putting people and relationships at the core of its identity. This value of relationships enables the industry to deliver first class customer service — a deliverable that's virtually synonymous with the industry.
On the flipside the tech industry, famed for the lightning pace at which it moves, holds efficiency at the core of what it does. Efficiency allows it to conceptualize, iterate, and produce at speeds that keep it competitive in the constantly evolving digital realm.
Insurance + Technology
|Insurance Industry||Technology Industry|
- Pace: Slow & Steady
- Core Value: Relationships
- Pace: Instant!
- Core Value: Efficiency
Finding Common Ground
So how do we strike a balance between these seemingly polar opposite industry verticals of insurance and technology? The answer lies in finding a common ground between the pace and core values of each. This is particularly important when it comes to evaluating a potential insurtech platform. For example:
- Speed (Quick and Accurate): Take a look at the speed and efficiency goals you may have for your brokerages. Is there a way to shift yourself from a 'slow and steady' pace to a more ramped up pace that will help increase your efficiency without compromising your standard of accuracy?
- Core Values (Relationships strengthened by Technology): 'Disruption' is a concept often referenced when discussing the tech industry. Case study after case study illustrates the power of tech to enter a new industry and 'disrupt' it for the better. While disruption can certainly lead to innovation, we as an industry must also be cautious when injecting tech into our practices. As mentioned above, relationships sit at the very core of the insurance industry. When introducing tech be sure to look for platforms and partnerships that will help to enhance those relationships through better customer service, ease of transactions, and transparency.
Overall, when balance is achieved between the divergent speed and core values of insurance and tech the results can be remarkable;paving the way for innovative products and first-class servicing that is designed for the digital age.
Relay Platform - Bridging Insurance and Tech
As an emerging leader in Insurtech innovation, Relay has gained immediate industry credibility due to our depth of expertise in both insurance and tech and our passion to energize both sides of these two exciting industries. Through our platform, Relay, empowers brokers to discover their edge in the digital era by delivering superior customer service with increased efficiency and accuracy across all lines of coverage and all complexities of risk. Some key differentiators that elevate Relay above the competition:
We are A Tech Partner, Not a Wholesaler: At Relay we believe strongly in remaining a neutral insurtech provider that enables and supports your carrier and wholesale distribution. We have former brokers on staff who are very passionate about not creating channel conflicts that would complicate your wholesale broker relationships by confusing broker of record appointments, overriding carrier relationships, complicating renewal and claim servicing, and possibly putting entire books of business at risk in the event of a potential acquisition.
- Quote to Bind Efficiencies: Other competing platforms in our space have gone the route of not wanting to burden the brokers to collect underwriting information because it takes too much time. Therefore they are designed to ask minimal info in an effort to get some rough estimate of final pricing on quotes which are no better than non-binding indications.
- The problem with this approach is that these indications are starting to not stick after the full set of underwriting questions come back so that leaves the broker in a bad situation that actually adds more time. Relay does things differently. We've tackled a larger set of questions up front because we have the working knowledge of what will be ultimately required to bind coverage. We have designed features to help brokers move through the submission process more efficiently leading to BINDABLE quotes in hand and not just rough indications. Additionally we have built our functions in our system to triage underwriting referrals as well as declination scenarios.
- Meeting the Market Where They Are At: While API's are the future of insurance quoting and we actively engage with API enabled capacity providers, the fact is that many carriers and MGAs do not have functional API technology at this current time. Our platform has thoughtfully integrated functionality to continue to submit, quote and propose quote options from both API and Non-API integrated capacity providers so that we can support a broker's entire book and trading relationships. A true one stop solution!
There are many more differentiating features here at Relay. Please contact us today for a live demo of our platform and a consultation of how our BrokerTech solutions can elevate your business!
Author Bio: Anne Hasenstab, VP of Cyber and Executive Risk, Relay Platform
Anne is the Vice President of Cyber & Executive Risk for Relay Platform. Her 20+ year career spans both public and private company exposures on the underwriting and brokerage sides of the insurance industry. Anne began her career at Chubb in Chicago as an executive protection underwriter and later held various management roles focusing on D&O, EPL, Professional Liability, and Cyber with firms such as Gallagher, Marsh, Travelers and most recently Ward Insurance, an independent agency in Portland, OR.
A guest post by Cowbell Cyber
Cyber Insurance Made Easy. This has been Cowbell's slogan since January 2020 when we first rolled out Cowbell Prime 100 to the market as our initial standalone cyber insurance program. Let's explain what we actually mean. “Cyber Insurance Made Easy" is at the core of what we do, when we design our programs, release them to our distribution channels, and deliver support to our partners and clients.
Our mission is to make cyber coverage accessible to all. This is why the Cowbell team has rebuilt the cyber insurance process from beginning to end and brought innovations at every step: in the cyber insurance programs themselves but also in the way we enable brokers and policyholders to transact (100% digital), how we underwrite and select risk, and the additional value we bring to insureds as part of our policies.
The results are:
- For brokers: increased efficiency as they can build customized quotes and issue policies in less than 5 minutes.
- For policyholders: robust coverage with a wealth of resources bundled with their policy to proactively manage cyber risk.
- For reinsurers: plenty and detailed information on their risk portfolio.
For agents and brokers, easy cyber insurance is all about the quoting process. Paper-based applications that ask hundreds of questions and will never yield accurate information are a thing of the past with Cowbell Cyber. Now, agents can add new accounts, prepare multiple, customizable quotes, and send them to policyholders for review in a matter of a few minutes.
When creating policies, our proprietary risk rating factors, or Cowbell Factors™, will help the agents understand policyholders' individual risk profiles. With that in mind, agents can recommend the coverage that best matches each client's needs.
In today's environment, businesses need the financial protection and peace of mind that cyber insurance coverage delivers. But if they don't understand coverages, limits, and exposures, how would they feel protected?
The insurance jargon can be hard to decipher for an untrained person as is, and the nature of cyber can make comprehension even more difficult.
Cowbell's standalone cyber insurance programs are built with the policyholder in mind. Coverage clarity is important to us, and we have organized them in the sequence a policyholder might experience a breach: first party loss, first party expense, third party liability.
We want the policyholder to feel taken care of. Our approach to that is education. We want every policyholder to understand their exposure, how they might be able to improve their risk, how they can obtain insurance, and what to do should an incident happen.
That is why we make continuous risk assessment and Cowbell Factors™ accessible to all free of charge. This removes any barrier preventing an organization to build awareness about its risk exposures. Businesses are invited to visit https://cowbell.insure/for-businesses/ and request access to their risk rating.
We also offer a wealth of resources for insurance professionals and policyholders to keep building their cyber knowledge. Additionally, our policies include access to cybersecurity awareness training for up to 20 employees. Our closed-loop approach to risk management guarantees that policyholders get value from us on day one and throughout the lifecycle of their policy.
Cyber insurance has become too important to remain ambiguous. With an exponential increase in attacks, everybody should take advantage of this year's cyber security awareness month and take action by taking some of the most basic steps to build cyber resiliency. Stay posted, we will have more to share during the month.
If you are an insurance agent interested in distributing Cowbell's standalone, admitted cyber insurance programs, contact us at firstname.lastname@example.org.
It's not too late to sign up for tomorrow's GearUP! Vaccines, Masks, Mandates-What's An Employer TO DO? Join us for a panel discussion, moderated by our own Tim Dodge, on what members can and cannot do as employers regarding COVID. The panel will be led by attorney John Valentino, Big I NY Chair of the Board Ron Brunell, Big I NY Regional Director David Borg, and Big I CT Chair of the Board Melissa Gatto.
It’s also not too
late to get in on this week’s Webinar Wednesday – Cyber Series. In this week’s session, Steps to Secure Your Email, you'll learn how to avoid the popular tricks cybercriminals are using every day, including phishing, malware, ransomware and spoofing.
It's happening!!! Catalyit launches this Thursday, October 14th. Whether you're an agent looking for all the agency tech guidance in one place, or a solution provider looking to help them, you'll want access! Get on the list here.
There was a lot of interest in Fat Bear week. I feel obligated to let you know that this year's winner was 480 Otis. Click here to check out the before and after hibernation pix.
I'm back again with another podcast recommendation. Kaelyn Willcox, Big I NY's Digital Marketing Specialist, clued me in on this one and I love it. It's called Lore. Start with episode 178, Opportunity – there's an insurance connection!
What is the most irrational superstition you
have? I’ll go old school back to my
basketball playing days. I listened to
the same song before every single game. Am
I embarrassed to share that song? You
know what? No I am not. That song is (You Gotta) Fight for Your Right
(to Party!) Let me know your irrational superstition via email at email@example.com
or post in our Community
Join us for this series of webinars FREE for Big I NY members, presented by Walter Contreras of Motiva. You won't want to miss this opportunity to protect you, your agency, and all of your data.
Phishing, Malware, Ransomware, Spoofing. You may have heard the term, but do you know how to spot them? In this session, you'll learn how to avoid the popular tricks cybercriminals are using every day on people like you. Walter will also share how to best use multifactor authentication and what to do when you can't. Great session for your ENTIRE team. This is part two of a three-part cyber series.
Your brick-and-mortar building may have great safeguards for your systems. But what happens when your team is working from somewhere else? The number of new exposures goes through the roof. There are best practices that can minimize the chance of hackers getting your data. Walter will light the way with tangible tips for your entire team. This class made possible by the cybersecurity team at Motiva.
Join us for this series of webinars FREE for Big I NY members, presented by Walter Contreras of Motiva. You won't want to miss this opportunity to protect you, your agency, and all of your data.
You'd be shocked by how exposed many popular cloud-based agency management systems are. Hackers are getting in; and having a well-known system doesn't mean you're safe.
Join us to learn how you can protect your AMS data (and your cyber-liability exposure). Walter will share what to look for and tangible tips to implement.
Phishing, Malware, Ransomware, Spoofing. You may have heard the term, but do you know how to spot them?
In this session, you'll learn how to avoid the popular tricks cybercriminals are using every day on people like you. Walter will also share how to best use multifactor authentication and what to do when you can't.
Great session for your ENTIRE team.
This is part two of a three-part cyber series.
Your brick-and-mortar building may have great safeguards for your systems. But what happens when your team is working from somewhere else? The number of new exposures goes through the roof.
There are best practices that can minimize the chance of hackers getting your data. Walter will light the way with tangible tips for your entire team.
This class made possible by the cybersecurity team at Motiva.
Big I NY Member Benefit: Receive a free compliance assessment and PENTEST at motiva.net/bigipentest
After a series of supply chain and ransomware attacks, the federal government is ramping up its effort to improve the nation’s cybersecurity. In the past several months, multiple federal departments and agencies announced new policy initiatives and regulatory directives to drive their cybersecurity agenda forward, and state regulators are following the trend. It is unmistakably clear that companies in regulated sectors are entering a new era of cybersecurity regulatory compliance. And although much of this early action targets specific sectors (e.g., government contractors, pipeline operators
, and public companies), these requirements will indirectly touch companies in other sectors and are a preview of broader regulation to come. Here, we discuss recent notable actions on cybersecurity by federal and state government agencies.
On May 12, 2021, President Joe Biden signed the Executive Order on Improving the Nation’s Cybersecurity
. The order focuses on improving the executive branch’s cybersecurity posture in response to recent supply chain and ransomware attacks. The order calls for:
- Contractually obligating IT and OT service providers to share threat information with and disclose cyber incidents to their federal counterparts
- Accelerating the migration of federal IT systems to secure cloud services, promoting a zero-trust security model, and enabling multi-factor authentication and data encryption
- Calling for a national cyber incident review board (modeled on the National Transportation Safety Board, which investigates significant transportation incidents)
- Establishing baseline security standards for the development of software sold to the government by requiring developers to maintain greater visibility into their software and making security data publicly available
- Deploying endpoint detection and response (EDR) systems across federal networks
- Implementing enhanced logging at federal departments and agencies
OPEN LETTER TO BUSINESS OWNERS ABOUT THEIR CYBERSECURITY
The White House also published an open letter to U.S. business leaders and executives, urging them to implement protective measures against ransomware attacks. The letter confirms that disrupting ransomware actors is one of the Biden administration’s top priorities and recommends that private companies adopt the following security measures against ransomware attacks:
- Implementing security measures such as MFA, encryption, and EDR.
- Periodically test the integrity of your backups
- Regularly updating and patching systems
- Tests the company’s incident response plan
- Applying network segmentation where possible
The White House also emphasized cybersecurity and the need to impose consequences on criminal actors during meetings with foreign leaders. At the G7 summit, world leaders, including Biden, identified ransomware as one of the biggest threats to people and businesses around the globe and urged Russia to “identify, disrupt, and hold to account” cybercriminals operating from the country.
Biden continued this emphasis on July 9, 2021, several days after another massive ransomware attack by the REvil ransomware gang (believed to operate in Russia) affected more than 1,000 businesses over the July 4 weekend. Following this remark, on July 13, all infrastructure tied to the REvil ransomware group, including its data leak and payment sites, went offline.
On July 14, the White House announced a new ransomware task force to coordinate both defensive and offensive actions against ransomware operators, which may include launching cyberattacks against foreign ransomware operators. Some lawmakers and policymakers, such as Sen. Mark Warner, D-Va., and Energy Secretary Jennifer Granholm, are taking it a step further by suggesting that ransom payments should be made illegal for U.S. companies to remove financial incentives for cyber criminals.
If you want to know more about Cybersecurity or if your business is in risk of a DATA BREACH visit: Cybersecurity Audit for BIG I Members | Motiva
Based on new information out today from the Excess Line Association of New York (ELANY,) we encourage you to perform the periodically-required risk assessment of your computer networks now and get ready for new cybersecurity requirements from the New York State Department of Financial Services (DFS.)
reported earlier this month, DFS offered guidance to all entities it regulates on how to address the risks of ransomware attacks. Today's bulletin from ELANY indicates that they've had conversations with DFS that shed new light on the guidance.
According to computer security software provider
McAfee, "Ransomware is malware that employs encryption to hold a victim’s information at ransom. A user or organization’s critical data is encrypted so that they cannot access files, databases, or applications. A ransom is then demanded to provide access. Ransomware is often designed to spread across a network and target database and file servers, and can thus quickly paralyze an entire organization." Ransomware attacks have become more pervasive in recent years; a
massive attack affected hundreds of small businesses worldwide over the recent July 4 weekend.
ELANY's bulletin advised its member brokers of the DFS guidance and contained this new information (emphasis added):
The DFS has told ELANY that the notice is not intended to supersede the regulation. Instead, it is meant to accomplish two goals. First, it provides licensees with information on controls that the DFS believes are important and that the DFS expects licensees to consider implementing, depending on their risk assessments. It is important to note that the DFS views the risk assessment as controlling a licensee’s approach to cybersecurity and that licensees should be able to explain what controls they considered based on their risk assessment, and why they chose not to implement certain controls.
Second, the DFS is putting licensees on alert that the regulation will be revised, and the notice includes some of the specific requirements that will likely be included in the revision. The DFS shared with ELANY that limited exemptions will be maintained and they understand that small brokers have limited resources compared to larger licensees, however some new requirements will likely be imposed on exempt licensees. Most prominently, licensees with a limited exemption can expect the current exemption from multi-factor authentication requirements to be removed.
Therefore, while the notice did not change New York's Cybersecurity Requirements For Financial Services Companies regulation, DFS is urging all covered entities to assess their risks of ransomware attacks and implement controls based on what they find. The regulation already requires agencies and brokerages to perform risk assessments. Section 500.9 states, "Each covered entity shall conduct a periodic risk assessment of the covered entity’s information systems sufficient to inform the design of the cybersecurity program as required by this (regulation.)"
Also, the bulletin supplements what we already knew from the DFS letter - changes will come later this year to the regulation, and they will affect all of you. It currently requires larger agencies (those that do not qualify for the limited exemption) to implement multi-factor authentication (MFA.) ELANY's bulletin indicates that DFS intends to require all entities, regardless of size, to implement MFA. The regulation defines MFA as:
"... authentication through verification of at least two of the following types of authentication factors:
(1) knowledge factors, such as a password;
(2) possession factors, such as a token or text message on a mobile phone; or
(3) inherence factors, such as a biometric characteristic."
MFA is a commonly-used technology for accessing networks remotely. Big I New York implemented it for staff working outside the office several years ago.
Because of this new information from ELANY, we suggest you:
- Perform new risk assessments with an eye toward the threat of ransomware attacks
- Prepare to incorporate MFA technology into your cybersecurity programs.
Qualified cybersecurity consulting firms such as Motiva can assist you with implementing MFA. Motiva is also offering Big I New York members a free cybersecurity audit of their computer networks to evaluate network health.
Our cybersecurity regulation compliance resources are available to you at anytime at www.biginy.org/cyber.