This week, Big I NY submitted comments on the DFS' pre-proposed draft amendments to the Cyber Regulation. You can read more about the draft amendments in an earlier post here.
In our comments, we recommended changes to the amendments that would help alleviate new burdens on producers, while still ensuring non-public information (NPI) is protected.
Some of the key points include:
- Expanding the revenue threshold of the limited exemption to correspond with the proposed higher thresholds for employee count and assets, and clarifying that only independent contractors with access to NPI be counted towards the employee count.
- Expanding the total exemption for inactive licensees to include brokers in addition to agents.
- Exempt covered entities from the requirement to “cross police" each other as third party service providers, consistent with regulations adopted in nearly half of all states.
- Remove the proposed requirement that covered entities not in compliance certify their noncompliance annually and specifically identify cybersecurity deficiencies.
- Clarify that risk assessments need only be conducted annually if there is a material change to the entity's cybersecurity risk.
- Clarify that penalties are assessed after a failure to comply with the regulation only where such noncompliance is intentional, and lengthen that time period from 24 to 72 hours.
You can read our full comments here. The DFS will now consider the pre-proposal feedback, then release the official proposed amendments. At that point, stakeholders will have further opportunity to provide additional comments before the regulation is adopted.
[The following is an updated version of a post from 2014. Unfortunately, the message is still very relevant in 2022.]
I turned 61 last month. (Insert jokes about old age here.) A few weeks before I turned 25, way back during the Ronald Reagan years, the New York State Legislature passed and Gov. Mario M. Cuomo signed a bill into law, formally known as Chapter 220 of the Laws of 1986. It slapped new requirements on insurers
that wanted to cancel or non-renew commercial insurance policies or make major changes to them. No longer could insurers double a business’s premium or exclude important coverage with no advance notice, or non-renew a policy with a month’s notice.
I was an underwriting assistant with a large national insurer group at the time, and I remember what a big deal this change was. The underwriters in my office knew that this would take some getting used to. When I became an underwriter, I also had to work within its confines. It wasn’t always easy, but it was the law. The rules may cause underwriters some additional work they don’t want, but they’re not all that difficult to understand.
This law, New York Insurance Law Section 3426, is now 36 years old, meaning that since its enactment:
- A half dozen Big I New York employees were born
- The World Wide Web, DVD technology, the iPhone, the Sony PlayStation, Google and text messaging were invented
- Six U.S. presidents were elected, three of them twice
- The following TV shows began and ended their runs: Friends; Seinfeld; The West Wing; The Sopranos; The Wire; ER; all iterations of CSI; Criminal Minds; Breaking Bad; Game of Thrones; and many more
- The insurer groups USF&G, Continental, St. Paul, General Accident, and The Home ceased to exist
- The Gecko, Flo, Mayhem, and Jake From State Farm were introduced
And yet, even after all this time, too many insurers either can’t or won’t follow this law. It passed the point of being ridiculous a long time ago.
At least once a week, I receive complaints from Big I New York members such as these:
- A carrier sent a conditional renewal notice on a commercial property policy, indicating that the premium would increase by more than 10% and the "all other perils" deductible would increase to $25,000. The renewal policy arrived with the flood deductible having increased from $25,000 to $250,000. Despite the lack of prior notice, the carrier declined to return the deductible to its previous level.
- An underwriter had a letter sent to the insured before renewal but claimed it "wasn't a 220 notice" and therefore the letter did not have to mention the new $10,000 general liability insurance deductible that showed up on the renewal policy.
- An underwriter informed an agent that a $500,000 commercial property policy would simply expire if the insured did not give the agent a bind order before expiration. The insured was out of the office and unreachable.
- A carrier notified several commercial insurance policyholders that it would add a new Abuse or Molestation exclusion to their liability policies in the middle of the policy terms.
- An underwriter issued a renewal policy more than 60 days before the expiration date. Because of this, he believed that he did not have to send a conditional renewal notice about coverage and premium changes.
- An underwriter believed that he could hike the renewal premium by 17 percent without sending a conditional renewal notice. He had switched the policy from one insurer in his group to another. He believed that this absolved him of responsibility for sending a notice.
I wish I could say that this is a new problem, but it’s not. I receive so many emails about problems our members have with insurers on this, I saved the law’s text as auto-text in Microsoft Outlook. I can insert the text in an email with two clicks of my mouse. It’s saving me a lot of time. I've taught webinars and in-person courses about the law’s requirements. I’ve written blog posts and even done an episode of my old podcast on the topic. I’ve been on this job for 20 years, and I probably got my first question about this law on day two.
Here are the facts from the law itself.
- It applies to commercial risk, professional liability, and public entity insurance policies.
- It defines “renewal” or “to renew” as “the issuance or offer to issue by an insurer of a policy superseding a policy previously issued and delivered by the same insurer, or another insurer under common control.”
- An insurer must provide a written notice to the first-named insured and the insured’s authorized agent or broker if it decides not to renew a policy. It also must provide the notice if it decides to renew with certain coverage changes or premium increases. Otherwise, the policy “shall remain in full force and effect pursuant to the same terms, conditions and rates.”
- The insurer must send the notice if it wants to change limits; change the type of coverage; reduce coverage; increase deductibles; add exclusions; or increase the premium more than 10 percent (not counting any premium increase generated as a result of increased exposure units, or as a result of experience rating, loss rating, retrospective rating or audit.)
- The notice must contain the specific reason or reasons for the insurer’s actions; provide the amount or a reasonable estimate of any premium increase; and describe in plain and concise terms the nature of any other proposed changes.
- The notice must inform the insured and the agent or broker that either may obtain the insured’s loss information from the insurer. The insurer must provide this information within 10 days of a request for it.
- For most policies, the insurer must provide the notice 60 to 120 days before the expiration date. It must send notices for umbrella or excess liability policies and policies issued to very large businesses 30 to 120 days in advance.
- If the insurer sends the notice less than 60 days before the expiration date, it must extend the expiring coverage and rates. The extension must be for 60 days from the date of the notice. The only exception to this rule is if the insurer sends a conditional renewal notice at least 30 days in advance and the insured does not replace the policy. If the insurer sends the notice on or after the expiration date, the insured is entitled to another full year of coverage. This coverage must be at the same terms and conditions of the expired policy and at either the expiring rates or the renewal rates, whichever is less.
- The law does not apply to some types of policies, notably assigned risk auto, property policies issued by the FAIR plan, Workers' Comp, surety, inland and ocean marine, excess line policies, and personal lines policies (personal lines is governed by a different law.)
Folks, this isn’t that hard. You have to give your policyholders at least two months’ warning if you’re going to drop them, change or reduce their coverage, or hike their premiums. You can’t play cutesy games to get out of it by switching the coverage to another insurer in your group. You can’t just issue the renewal policy two months early and let the insured figure it out. You have to tell them what changed and why, and you have to let them know they can get their loss history. You can’t just let a policy expire.
If this was a new law, I could understand the confusion, but it isn’t and I don’t. If you manage an underwriting team and your people are not fully complying, this is your fault
. Don’t rely on a cheat sheet or some other shortcut to educate them; give them a copy of the law. You can download it from the Big I New York website
. For all that, give them a copy of this post. Just make sure they’re following the law.
Yes, it’s a hassle, but it’s part of doing commercial lines business in New York. And lest this start a litany of posts about how New York hates business, be aware that 18 other states
also require 60 days’ notice of nonrenewal. Kentucky requires 75 days’ notice, and two states require 90 days’ notice for medical malpractice liability policies. More than half the states require at least 30 days’ advance notice of material changes and/or premium increases. New York is not unique in this respect.
This law has been on the books for almost four decades. Every insurer operating in this state should be accustomed to it by now. Stop trying to wiggle your way out of the requirements. It makes you look dishonest, whether you mean it to or not. Educate your underwriters so they know what they have to do. The insurance business is difficult enough for underwriters, agents and brokers without having to deal with easily solvable compliance issues. Follow the rules.
It took months to land that important account. You followed up with responsive service and valued insurance products. Now, this key customer just requested a surety bond. And...they need the bond by tomorrow.
Why take the risk of referring this hard won client to a competing agent?
You now have access to a surety provider with capacity, experience and the right tools to meet your client's surety and fidelity bond needs. CNA Surety is known for its expert underwriting, solid financial strength, market leadership and creative solutions to all bonding requirements. The CNA Surety group of companies ranks as one of the largest writers of bonds in the United States.
CNA Surety understands and can provide custom-tailored surety solutions to virtually all segments of the market, regardless of size or circumstance.
The commercial surety market includes numerous types of bonds categorized as license and permit, notary, public official, fiduciary, court, miscellaneous and federal, along with corporate commercial bonds.
CNA Surety Companies also write fidelity bonds, which cover losses arising from employee dishonesty and errors & omissions liability insurance.
Contract bonds guarantee the performance of obligations covered by a written agreement between two parties. The most common types include bid, performance and payment bonds. CNA Surety’s FAST-Track Bond Program for small contractors is highly competitive and emphasizes service with common-sense, streamlined underwriting.
Backed by the financial strength of the CNA Insurance Group, we have one of the highest US Treasury Underwriting Limitations in the surety industry.
- A.M. Best Rating of A (Excellent)
- Standard and Poor’s Rating of A+ (Stable)
- 2.2 million bonds in force with 550,000 new bonds annually
- Combined Treasury List capacity in excess of $1 billion
- Consistently excellent industry ratings
- 39 branch offices nationwide
- Surety bonds provided in all 50 states, Canada and Puerto Rico
- Program Benefits
- Direct access to CNA Surety portal for quoting, servicing, selling, information and more
- Live Support and extensive marketing materials are available
- Broad appetite
- Competitive commissions with no fees
- Quick enrollment
- All Big I NY members are eligible to participate
The New York State Department of Financial Services has asked producer trade organizations to distribute the following message:
Section 4 of the New York Automobile Insurance Plan (NYAIP) manual provides for the Department of Financial Services to appoint at least 4 public member alternates to the Governing Committee of the NYAIP. Section 15A of the New York Automobile Insurance Plan (NYAIP) manual provides for the Department of Financial Services to appoint at least 4 public members, 1 company member and their respective alternates to the Producer Certification Peer Review Panel.
At the request of the Department of Financial Services (DFS,) the NYAIP is soliciting producer trade organizations for qualified producers (at least five years of work experience) who are interested in serving in the capacity of public member or public member alternate on the NYAIP Governing Committee or Peer Review Panel. Public members represent a broad segment of the public obtaining insurance through the NYAIP. Public member alternates serve in the absence of any public member with the full powers, rights, and entitlements of a public member representative.
Current Public Member vacancies include:
2 Governing Committee Public Members recommended by DFS
4 Governing Committee Public Member Alternates appointed by DFS
1 Peer Review Panel Public Member appointed by DFS
4 Peer Review Panel Public Member Alternates appointed by DFS
The Governing Committee
The Governing Committee is responsible for the oversight and direction of the NYAIP pursuant to Article 53 of the Insurance Law. It currently consists of twenty-two total members, eleven of which are insurers (known as subscriber company members), ten public members, and one limited assignment distribution (LAD) servicing agent. Pursuant to the NYAIP manual, the Superintendent is responsible for appointing at least four public members alternates to serve in the absence of any public member. Each public member alternate serves for a term of one year.
Candidates should know that:
Governing Committee Meetings:
- The Governing Committee meets 4 times per year (January, May, September and November). The January meeting is a teleconference and the 3 others are in person but may be held as a teleconference or include remote participation.
- In person meetings are conducted near the NYAIP offices in the Wall street area of NYC.
- Public members and alternates are expected to attend each meeting and receive a per diem for each meeting. Additionally, travel expenses are paid for by the NYAIP.
- Meetings generally last no more than 3 hours.
- Electronic votes are conducted ad hoc as needed and immediate response is expected.
- Every GC member must serve on at least one subcommittee.
The Peer Review Panel
- Peer Review Panel members are appointed for a term of two years.
- Peer Review Panel Meetings are in person at the Plan office.
- Meetings are scheduled quarterly and are held only if there are cases for review.
- Recent history required only one meeting a year.
To facilitate the process, we have developed an electronic application (see link above). All applications will be provided directly to the Department of Financial Services for its consideration, and the Department will contact respondents for any further information if needed. Producers interested in serving on the GC should submit the required electronic application form for the DFS by no later than August 20, 2022. DFS will review all applications and submit its Public Member appointments and recommendations to the Governing Committee for its November 2022 Annual Meeting.
The NYAIP and the Department of Financial Services appreciate your assistance and participation in the Governing Committee Alternate Public Member candidate process.
The New York Automobile Insurance Plan
Photo by Sue Thompson. Used under a Creative Commons Attribution-No Derivatives 2.0 license.
Insurance standards setting organization ACORD has announced revisions to two of its published forms pertaining to flood insurance. You should plan on using the new editions starting in December. ACORD is treating both as new forms due to the number of changes.
ACORD 301 (2022/12), National Flood Insurance Program - Flood Insurance Application, replaces the 2015/04 edition. It is designed to work with the NFIP's Risk Rating 2.0: Equity In ACTION rating methodology, introduced last year.
ACORD 304 (2022/12), NFIP - Flood Insurance Cancellation/Nullification, replaces the 2018/08 edition. It is designed to work with the policy cancellation instructions in the Flood Insurance Manual. The Federal Emergency Management Administration (FEMA,) which administers the NFIP, provides additional information on its website.
The new forms should be available through agency management systems or an ACORD Advantage subscription by December. You should use them starting December 1.
On July 29th, the NYSDFS released a pre-proposed draft of forthcoming amendments to 23 NYCRR 500, New York's sweeping cyber regulation.
The DFS proposes a wide range of changes to the regulation, including but not limited to:
- Require covered entities to strictly limit the number of “privileged accounts", aka those able to perform security-relevant functions
- More specific requirements for entity risk assessments, required annually and when there is a material change to risk, as opposed to “periodically."
- Possibly requiring employees of covered entities to develop their own third-party service provider policies. We have requested clarification on this as it would have troubling implications for individual agents.
- Expand the definition of third-party service providers to include governmental entities.
- Certification of compliance will have to be backed up by internal documentation of compliance.
- If an entity was not in compliance at the end of the prior year, they will have to say so, identify the provisions with which they are not in compliance, and identify the areas that require improvement.
- The criteria for an entity to qualify for the limited exemption has been broadened:
|Fewer than 10 employees||Fewer than 20 employees|
|Less than $5 million in New York revenue||Less than $5 million in New York revenue|
|Less than $10 million in total assets||Less than $15 million in total assets|
- Individual insurance agents (those with licenses carrying the LA or PC prefixes) whose licenses are in inactive status (because no carriers have appointed them) will be completely exempt from the regulation's requirements unless they otherwise qualify as covered entities. For example, a person with an inactive PC license and who also has a valid property-casualty broker (BR) license would not be exempt.
- The enforcement section has been significantly expanded. A single act or single failure to act to satisfy an obligation required by the regulation will be deemed a violation of it. These include but are not limited to failure to protect systems or information due to noncompliance. They also include “the failure to comply for any 24-hour period with any section or subsection of this Part."
This is the first step in the process of amending the cyber regulation; the department will accept comments on this draft until August 18th, then release a proposed amendment for formal comments. After the comment period, a final draft of the amendments will be adopted.
The proposed amendments state that they will be effective immediately upon publication of the notice of adoption. However, compliance will be required later – for most of the changes, compliance will be required within 180 days of the effective date. Compliance with the new cybersecurity event reporting requirements will be required within 30 days, while compliance with the changes to the access privileges, multi-factor authentication (MFA) and training and monitoring requirements will be required one year from the effective date.
Big I NY Has Your Back:
Big I NY is carefully reviewing the proposed changes and will submit comments to the DFS. We will keep members apprised of important developments. Please contact Scott Hobson at SHobson@BigINY.org with comments or questions.