|
We are happy to announce a new resource to help you comply with New York's financial services cybersecurity regulation - a "frequently asked questions" document.
The
seven-page file provides answers to some of the questions Big I New York members ask most often about the regulation, including:
- Are licensed employees required to make the annual compliance filings?
- How do I get help completing the compliance filing?
- Does my agency have to submit the Notice of Exemption every year?
- Do agency employees have to submit the Notice of Exemption every year?
- If my agency qualifies for the limited exemption, what requirements do we have to meet?
And many more. We encourage you to
review it and save a copy for future reference. There is a link to it on the main page of the
Cybersecurity section of our website.
When it comes to regulatory compliance, Big I New York has your back.
|
|  As we mentioned last week, the New York financial services cybersecurity regulation requires all covered entities (including all insurance agencies) to create and maintain an inventory of their information system assets. Entities have until Nov. 1, 2025 to comply with this requirement.
We have developed a Microsoft Excel workbook that will help you meet this requirement. For each listed device, it has fields for several pieces of information including those the regulation specifically mentions (owner, location, classification/sensitivity, support expiration date, recovery time objectives.) Where possible, it uses drop-down menus to make selecting an answer easier. It is currently formatted for up to 100 devices. Should we start to get complaints that this is not enough, we'll update it.
The new workbook is available here. You can always find it by:
- Logging in at www.biginy.org.
- Clicking the Cybersecurity button on the home page.
- Clicking the Compliance Resources image.
- Clicking on "Step 2: Conduct An Internal Agency Risk Assessment."
- Clicking on "Device Inventory."
|
| 
Question from a Big I NY member: "Question regarding data retention. In our agency management system (AMS), we retain files as long as the provider does. Is that acceptable? We do so for protection, ie., say we wrote life insurance and fifteen years later the client dies and the company claims some type of misrepresentation from insured on application. We would want all of the backup notes, signed forms, questionnaires. Is this okay? I could not find on your website anything addressing this besides that we need to keep for the required legal periods, say seven years as a minimum, but what about longer?
Also, say a client leaves us, I do not delete their files in the AMS. They may come back and if so, I do not have to develop all the same information again such as address, date of birth, etc., or maybe a coverage issue arises down the road from pollution liability, etc. Am I under any obligation to wipe a client off the AMS after they are no longer a client after say seven years, or am I allowed to retain?"
"(b) As part of its cybersecurity program, each covered entity shall include policies and procedures for the secure disposal on a periodic basis of any nonpublic information identified in section 500.1 (k) (2)-(3) of this Part that is no longer necessary for business operations or for other legitimate business purposes of the covered entity, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained."
Section 500.1(k)(2)-(3) states: "(k) Nonpublic information means all electronic information that is not publicly available information and is: … (2) any information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements: (i) social security number; (ii) drivers' license number or non-driver identification card number; (iii) account number, credit or debit card number; (iv) any security code, access code or password that would permit access to an individual's financial account; or (v) biometric records; (3) any information or data, except age or gender, in any form or medium created by or derived from a health care provider or an individual and that relates to: (i) the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual's family; (ii) the provision of health care to any individual; or (iii) payment for the provision of health care to any individual."
Section 500.13 requires your agency to have policies and procedures for periodically securely disposing of these types of information that are no longer necessary for the agency's operations or other legitimate business purposes. The determination of when the information is no longer necessary is entirely up to you. It could vary from one agency to another, and even within an agency it might vary depending on the type of information it is. The only exceptions are: - Where another law requires you to retain the information (I can't think of an example offhand.)
- Where it's infeasible for you to delete it (for example, some agency management systems leave the agency with no control over data storage.)
As a side note, New York insurance laws and regulations require agencies to retain copies of only three types of documents, and none of them fall under this regulation. They are service fee agreements; premium account records; and producer compensation disclosures, and they must be retained for at least three years. While the law does not require you to retain other types of client records, the E&O attorneys recommend retaining them for at least seven years as a loss control measure because the statute of limitations for suing an agency in New York is six years. See The E&O Report, July 2013: “Because New York law provides that an insured has up to six years from the time when an error or omission occurs in order to commence legal action against an agency or brokerage, we always recommend that every agency or brokerage retain all documents for a period of at least seven years or even longer if possible." The key thing with this section of the regulation is that you must have written policies and procedures for how long you will retain non-public information and how you will securely dispose of it when you don't want or need it anymore. Those policies and procedures are entirely up to you. The sample cybersecurity program the DFS provides contains this content about the data retention requirements: "1. Describe how you dispose of nonpublic information when it is no longer necessary for business operations or for other legitimate business purposes: 2.Describe how long nonpublic information is retained, both generally and for any special categories where the general rule does not apply: ... Examples of secure disposal methods include: shredding paper so nonpublic information cannot be read or reconstructed; destroying or erasing electronic files or media so that non public information cannot be read or reconstructed; and hiring qualified third-party service provider who can provide such secure disposal. More information is available from the U.S. Cybersecurity and Infrastructure Security Agency at https://www.cisa.gov/sites/default/files/publications/DisposeDevicesSafely.pdf.". Just remember, the longer you retain non-public information, the longer you must protect it.
|
| 
The New York State Department of Financial Services (DFS) has posted a draft of an amended regulation on hurricane deductible triggers. The department has invited interested parties to share their initial reactions.
The draft regulation would implement a law enacted last year. That law, which Big I New York supported, requires the department to “by regulation establish standards for hurricane windstorm deductibles, which create, to the greatest extent possible, uniformity in the operation of such deductibles with respect to the triggering event." The law was intended to respond to concerns that homeowners in the same town or village might face vastly different hurricane deductibles because of the difference in policy conditions regarding what triggers them. Big I New York is reviewing the draft and may provide general comments to the department for their consideration as they finalize the proposal. Once they publish a formal proposal, we will perform a thorough analysis and provide detailed comments during the public comment period. |
| 
Proposed updates to New York's building and energy conservation construction code could leave some of the state's property owners with insurance coverage gaps. Agencies and brokerages may want to begin offering property insurance clients higher limits of Ordinance or Law Coverage. The New York Department of State announced last month that it is considering amendments to the State Uniform Fire Prevention and Building Code and the State Energy Conservation Construction Code. The amendments would repeal the current versions of the codes and adopt amended and updated versions. The Notice of Proposed Rule Making in the New York State Register lists many proposed requirements for construction of all kinds, including residential and commercial. Updated building codes will likely increase the cost of repairing or reconstructing a damaged building. These costs might be insured by Ordinance or Law Coverage. This is a bundle of coverages that apply when local building ordinances require the demolition of a building damaged beyond a certain extent or that reconstruction complies with updated codes. It also covers the value of the undamaged portion of a building that must be knocked down. Standard homeowners and commercial property insurance policies provide very limited Ordinance or Law Coverage. The ISO Homeowners 3 – Special Form, HO 00 03 03 22 (also known as the HO-3) automatically provides the coverage with a limit equal to 10% of the limit on the dwelling. For example, if the dwelling limit is $500,000, the policy provides $50,000 coverage for the value of the undamaged portion, the cost of demolition, and the increased cost to meet code requirements, combined. The ISO Commercial Building and Personal Property Coverage Form, CP 00 10 10 12 provides even less. It covers the increased cost of construction to meet code requirements, but not for the value of the undamaged portion or the cost of demolition. The limit of insurance is small – 5% of the building's value at the time of the loss, multiplied by the coinsurance percentage shown in the policy Declarations, or $10,000, whichever is less. However, ISO offers endorsements for both types of policies to fill a potential coverage gap. Homeowners endorsement HO 04 77 03 22, Ordinance or Law Increased Amount of Coverage, can increase the 10% limit to 25%, 50%, 75%, or 100%. Commercial Property endorsements CP 04 05 09 17, Ordinance or Law Coverage; CP 04 26 09 17, Ordinance or Law Coverage for Tenant's Interest in Improvements and Betterments (Tenant's Policy), and CP 15 14 09 17, New York - Ordinance Or Law - Increased Period Of Restoration provide the coverage for commercial direct damage losses, tenants' improvements and betterments losses, and Business Income and Extra Expense Coverage losses. Options for limits vary. Carriers who use forms other than ISO forms may have similar endorsements available. For example, Underwriters Rating Board (URB) offers several Ordinance or Law endorsements for both homeowners and commercial property policies. The Department of State has scheduled in-person and virtual public hearings on the proposed updates for late May. The public comment period ends on May 27. It seems almost certain that at least some updates to the building codes will be adopted sometime this year. To offer your clients better protection, explain to them the changes under consideration and why Ordinance or Law Coverage may be important to them.
|
| 
All New York regulated financial services companies, including insurance agencies, must implement additional cybersecurity procedures by May 1. These requirements are part of the 2023 amendments the New York State Department of Financial Services (DFS) made to the state's financial services cybersecurity requirements. While most Big I New York member agencies have fewer than eight employees and do not have a staff person known as a “system administrator," some may have one who performs some administration functions. A system administrator has special systems access, allowing them to make security-related changes to the systems. These might include turning access on or off for individuals, configuring firewalls to permit data to enter the system, and related functions. The cybersecurity regulation refers to accounts that grant a person this kind of access as “privileged accounts." If your agency uses privileged accounts for a staff person to make security changes, it must: - Limit the number of them.
- Limit the functions someone with a privileged account can perform to only those necessary for performing their job.
- Limit when an individual can use a privileged account to only those times when they are performing functions that require this access.
Other requirements that agencies must implement by May 1 include: - Reviewing all user access privileges at least annually.
- Removing or disabling all accounts and access that the review shows are no longer necessary.
- Disabling or securely configuring all network software that allows someone (such as a system administrator) to remotely control a device (such as an employee's workstation.)
- Promptly terminating users' access privileges upon their departure from the agency.
- Implementing written password policies that meet current industry standards. This might be a requirement that passwords be twelve or more characters long, contain upper and lower-case letters, at least one number, and at least one special character (such as a question mark.)
Those of you who click the link above to the regulation's text will see a reference to “class A companies." A class A company has at least $20 million in annual revenue and either more than 2,000 employees or more than $1 billion in gross annual revenue. No Big I New York members fit this definition. Many of you may be informally doing some or all these procedures already. They should become part of your agency's cybersecurity policy, the written document of agency policies and procedures designed to protect your systems and non-public data. Last spring, DFS published a new cybersecurity policy template for the businesses it regulates to use. The template is comprehensive, and we encourage all members to use it as a starting point. You will find the section pertaining to the requirements described above under Section V. Access Privileges and Management starting at the bottom of page 4. This is the next-to-last deadline for complying with the regulation's amendments. Agencies have until November 1 to create and manage inventories of the components of their information systems (workstations, laptops, phones, etc.) We will provide guidance on how to create the inventory this fall. For more information: www.biginy.org/cyber NY Cybersecurity Regulation: What Your Agency Needs To Do (Jan. 10, 2025) Another Resource To Help with Cyber Reg Compliance (Feb. 11, 2025)
|
Follow javascript: SP.SOD.executeFunc('followingcommon.js', 'FollowDoc', function() { FollowDoc('{ListId}', {ItemId}); }); 0x0 0x0 ContentType 0x01 1100 Item Audit Detail /_layouts/15/images/GORTL.GIF /newsfeed/_layouts/15/AuditingLog/ItemAudit.aspx?ItemId={ItemId}&ListId={ListId} 0x0 0x40000000 ContentType 0x01 300 Compliance Details javascript:if (typeof CalloutManager !== 'undefined' && Boolean(CalloutManager) && Boolean(CalloutManager.closeAll)) CalloutManager.closeAll(); commonShowModalDialog('{SiteUrl}'+
'/_layouts/15/itemexpiration.aspx'
+'?ID={ItemId}&List={ListId}', 'center:1;dialogHeight:500px;dialogWidth:500px;resizable:yes;status:no;location:no;menubar:no;help:no', function GotoPageAfterClose(pageid){if(pageid == 'hold') {STSNavigate(unescape(decodeURI('{SiteUrl}'))+
'/_layouts/15/hold.aspx'
+'?ID={ItemId}&List={ListId}'); return false;} if(pageid == 'audit') {STSNavigate(unescape(decodeURI('{SiteUrl}'))+
'/_layouts/15/Reporting.aspx'
+'?Category=Auditing&backtype=item&ID={ItemId}&List={ListId}'); return false;} if(pageid == 'config') {STSNavigate(unescape(decodeURI('{SiteUrl}'))+
'/_layouts/15/expirationconfig.aspx'
+'?ID={ItemId}&List={ListId}'); return false;}}, null); 0x0 0x1 ContentType 0x01 898
|
|
|