Skip Ribbon Commands
Skip to main content
Oct 11
Big I NY Urges Veto on Costly Wrongful Death Bill

VETO.png
Big I NY and a coalition of 34 other business organizations urged Gov. Kathy Hochul this week to veto legislation that would lead to skyrocketing wrongful death lawsuit awards and increased insurance costs for all New Yorkers.  

In a letter to the Governor, the coalition pointed to the severe economic implications that would result from the passage of A.9232B/S.8485B​ (aka Wrongful Death/Grieving Families Act) and the impact that it would have on New York families and businesses.  The coalition letter notes that, if enacted into law, personal auto and small business insurance premiums are expected to increase by 6% and 10.9%, respectively.  

Gov. Hochul has twice vetoed​ the wrongful death expansion where she cited the impact it would have on the cost of insurance of all types, especially the healthcare sector.  The bill expands the types of compensation available to family members in a wrongful death claim to include subjective and difficult to define elements like grief, emotional anguish, and loss of companionship.  It would also apply retroactively to January 1, 2021.  

These and other components of the bill inject extreme uncertainty into the insurance environment and will drive costs for all consumers.  The legislation is not expected to be acted upon until after the November 5 election.  The letter and a news article reporting on the effort can be viewed HERE

Oct 03
DFS Cybersecurity Alert: Hackers Infiltrating Help Desks

call-center-8643476_640.jpg

The New York State Department of Financial Services (DFS) last week warned all financial services companies of a new cybersecurity threat targeting information technology (IT) help desks and service centers. A letter dated September 27, 2024 stated, "DFS has seen evidence that threat actors are targeting IT help desks and call centers using, among other tactics, voice-altering technology in conjunction with information obtained on the internet about the identities of personnel to convince help desks to reset passwords and divert multi-factor authentication (MFA) to new devices."

DFS urged all entities it regulates to alert help desk and service center staff  to be diligent in authenticating the identities of anyone who requests changes to authentication factors. While most Big I New York members do not have help desks, many do use insurance carrier call centers. You may find that the call centers' staff will take more steps to verify your identity when you contact them than they did before. This will likely be because of this new DFS alert. You should anticipate this when contacting them.

Oct 03
Deadline For New Cybersecurity Reg Requirments is Nov. 1

cyber-security-1802603_640.png

We want to remind all Big I New York members of the upcoming deadline for complying with new cybersecurity requirements. The New York State Department of Financial Services (DFS) last November 1 amended its Cybersecurity Requirements for Financial Services Companies regulation. That amendment included several changes. Some of the changes took effect immediately. The deadlines for others were this past spring, with the deadlines for the rest next month and next year.

Many of the regulation's 24 sections do not apply to businesses that qualify for the “limited exemption." A business qualifies for the limited exemption if any one of the following three things are true about that business:

  • The business and its affiliates have fewer than 20 employees and independent contractors.
  • The business and its affiliates generated less than $7.5 million in gross annual revenue in each of the last three fiscal years from all operations (count only the New York State operations of affiliates.)
  • The business and its affiliates have less than $15 million in year-end total assets.

Most Big I New York members qualify for the limited exemption.

DFS sent an email to all New York licensed insurance professionals earlier this week reminding them of these deadlines. However, only two apply to all “covered entities" (the regulation's term for anyone with a New York banking, financial services, or insurance charter or license.) The other three apply only to businesses that do not qualify for the limited exemption and so-called “Class A companies" (very large companies with revenues in the tens of millions and more than 2,000 employees.)

The two November 1 deadlines that apply to all covered entities are:

1. Use multi-factor authentication (MFA) for any individual accessing the entity's information systems. However, agencies that qualify for the limited exemption must use it only for:

  • Remote access to the agency's computer systems.
  • Remote access to third-party applications from which individuals can access non-public information.
  • All “privileged accounts" (essentially system administrator accounts) other than service accounts that prohibit interactive login.

If your agency has not already implemented MFA and you need help, agency technology consulting firm Catalyit offers these resources:

Membership in Catalyit is free for Big I New York members, so we encourage all members to register.

2. Provide, at least annually, cybersecurity awareness training that includes social engineering for all personnel. The training should be updated as needed to reflect the risks the agency has identified during its annual cybersecurity risk assessment.

The Compliance Resources page in the Cybersecurity section of our website lists these potential providers of cybersecurity awareness training.

All covered entities, including agencies that qualify for the limited exemption, must comply with these requirements by November 1, 2024.

The deadlines that apply only to larger organizations involve cybersecurity reports to an entity's senior governing body, changes to encryption requirements, and changes to incident response and business continuity management requirements. These requirements do not apply to agencies that qualify for the limited exemption.

For more information:

Sep 30
Big I NY Advocacy Secures Critical Supplemental Spousal Liability Reforms
​Thanks to the advocacy efforts of the Big I NY legislative team and members, Gov. Hochul has signed into law a bill that narrows the Supplemental Spousal Liability (SSL) opt-out to only those policyholders who indicate on their insurance application that they have a spouse.  

Big I NY drove conversations with lawmakers around the customer confusion and time-burden of the original SSL opt-out requirement and engaged members in multiple grassroots calls to action urging both the State Legislature and Governor to quickly remedy the issue.  

Thank you to those who made their voice heard on this matter and to lawmakers who swiftly addressed the challenges created by the original SSL requirement.

The SSL reforms are effective on March 24, 2025.  As always, the Big I NY team is ready to help members navigate SSL and other compliance requirements.  
Sep 27
Local Leaders from Around the State Come Together


LLS2024_Email.jpg

Local Association leaders from across the state met in Cazenovia this week to connect and exchange ideas and solutions to challenges.  Discussion topics ranged from NextGen in action, attracting diverse members, financial best practices and how to build community in their region of the state.  Local leaders had the opportunity to “speed network" with Big I NY officers and directors and the afternoon was capped off with a great discussion led by IIABA Chair of the Board Todd Jackson. 

The following morning, leaders broke out by regions to focus on what members in their part of the state need and how Big I NY can help.  Local Leaders are the face of Big I NY!

See more pictures HERE.

Sep 26
Urge Gov. Hochul to Quickly Sign the SSL Reform Bill

​​​

Last Friday the State Assembly delivered the Supplemental Spousal Liability (SSL) reform bill (A.9407A/S.9021A) to Governor Hochul, giving her 10 days to act.  It's not too late to voice your support for this important legislation by visiting the Big I Action Center and sending the Governor a message urging swift action on the bill. 

Under current law, policyholders must affirmatively opt-out of the coverage, even if they are unmarried or applying for commercial auto coverage.  The bill exempts unmarried drivers and commercial policies from automatic SSL enrollment, thus removing the opt-out requirement.  

Big I NY has been an outspoken advocate for these important changes to the SSL mandate, including a renewed Call to Action launched on Monday.  While the Big I NY legislative team anticipates the Governor's signature, please consider sending a pre-drafted message urging her support and quick action on the bill. 

Participating in this important advocacy effort is simple:

  1. Visit the Big I Action Center
  2. Select the SSL Call to Action
  3. Enter your contact information

Click “Send Message".  

 ​​​THANK YOU to those who have already made your voice heard in this priority issue.  ​
Sep 19
NYAIP Reminds Producers To Verify Insureds’ Identities

​The New York Auto Insurance Plan (NYAIP, also known as “the Plan") is reminding insurance producers to take precautions when transacting business with Plan insureds by phone or email.

The Plan's Special Investigations Unit (SIU) became aware of instances where producers took NYAIP applications, endorsement requests, and credit card transactions by phone. Some of them did not verify the applicant's or card holder's identity. They then falsely certified that they met the NYAIP identity verification requirement. The result was:

  • Issues regarding applicant information.
  • Disputed, unauthorized and questionable credit card transactions.

The Plan reminds producers that when conducting business virtually, they must visually verify their insureds' identities. They must also do this when the sole operator is not the insured. Finally, they must witness the credit card holder's signature. How they do that virtually (Zoom, Microsoft Teams, Facetime, Google Meets, other) is up to them

SIU has also learned of fraudsters taking advantage of some producers. The producers took NYAIP applications, endorsement requests, and credit card transactions by phone or email. However, they did not verify the applicant's or credit card holder's identity. There were multiple instances of fraud. Insureds disputed credit card charges after getting their assignments and ID cards.

Since the producers failed to obtain or witness applicants' signatures authorizing payment, appeals to the banks were unsuccessful. Carriers absorbed significant unpaid earned premiums. Also, many different insureds gave the same third-party credit card numbers to producers by phone and email. They also gave false garaging locations for their vehicles. The false locations were in upstate territories with lower rates. The applicants' licenses showed addresses in the five boroughs. The false locations allowed them to evade the higher rates that applied in the true locations.

All NYAIP certified producers should take steps to verify insureds' identities and confirm the accuracy of rating information insureds provide.

Aug 30
What is a Carrier Required To Do When It's Pulling Out of a Market?

​A national insurance carrier announced yesterday afternoon that it is exiting the personal lines insurance markets countrywide. To find out what the carrier's legal obligations are under New York law, download our Carrier Market Action Questions & Answers document.

This and other helpful resources are available for download at any time from the Frequently Asked Questions page in the Answer Center​ of our website.

Aug 28
NYSIR's A.M. Best Rating Withdrawn

​[UPDATE: Since we posted this news item, we have learned that NYSIR is a "municipal reciprocal insurer," as New York Insurance Law Section 6102 defines that term. That same section of the law permits a municipal reciprocal insurer to opt out of having its policies covered by the New York Property Casualty Insurance Security Fund​ (also known as "the guaranty fund.") According to NYSIR's website, they have chosen not to participate in the NYPCISF. Therefore, should the carrier run into difficulty paying claims, they may assess each one of their policyholders (referred to as "subscribers") for the shortfall. It is possible that some school districts may attempt to hold their insurance agents liable for the amounts of these assessments.

It is important to know that many insurance agents' Errors and Omissions Liability Insurance policies exclude coverage for losses resulting from the insolvency of an insurance carrier that had an A.M. Best rating of worse than "B+" at the time the agent placed the coverage and if the policy in question was not protected by a state guaranty fund. NYSIR's A.M. Best rating was downgraded to "B" on July 12. As reported below, it was downgraded again on August 23 and subsequently withdrawn.

Any agents who placed coverage with NYSIR on or after July12 may be uninsured for losses resulting from a subsequent insolvency, should that happen.]

​The financial strength rating of the New York Schools Insurance Reciprocal (NYSIR) has been downgraded and withdrawn. A.M. Best, a company that evaluates insurance carriers' financial strength and creditworthiness, announced the actions on Aug. 28. 

The actions conclude a rapid series of events. On July 12​, A.M. Best downgraded the carrier's financial strength rating (FSR) from "A minus" (Excellent) to "B" (Fair.) Just six weeks later, the FSR was downgraded again to "C++" (Marginal).) The same day, the carrier asked A.M. Best to withdraw the rating as they  wish "to no longer participate in AM Best’s interactive rating process."

Big I New York members who insure educational institutions through NYSIR may want to contact their clients for two purposes:

  1. To advise them of the rating actions.
  2. To discuss what the clients want to do with their insurance programs.


There is a form letter for this type of situation in our ebook The Big I NY Big Book of Form Letters & Other E&O Tools. This valuable resource is free for members and available for $99.00 to non-members.

We will report further developments regarding this situation as we learn of them.​

Aug 28
Do You Have To Report A Wholesaler's Cyber Incident?

binary-2170633_640.png

A South Carolina based wholesale insurance brokerage reported last week that they had suffered an undescribed cybersecurity incident. It closed the wholesaler for a substantial part of the week.

Some Big I New York members have asked whether the New York financial services cybersecurity regulation​ obligates them to notify the state Department of Financial Services (DFS) about this incident. If your agency does business with that wholesaler, you may have the same question.

Based on the information we have received and what the wholesaler has said on its website, we do not believe New York agencies have an obligation under the regulation to report this incident to the DFS. The wholesaler does, but the retail agency does not.

Section 500.17 of the regulation states:

(a) Notice of cybersecurity incident.

(1) Each covered entity shall notify the superintendent electronically in the form set forth on the department's website as promptly as possible but in no event later than 72 hours after determining that a cybersecurity incident has occurred at the covered entity, its affiliates, or a third-party service provider.

(2) Each covered entity shall promptly provide to the superintendent any information requested regarding such incident. Covered entities shall have a continuing obligation to update the superintendent with material changes or new information previously unavailable.

The definitions in Section 500.1 state:

For purposes of this Part only, the following definitions shall apply:

(a) Affiliate means any person that controls, is controlled by or is under common control with another person. For purposes of this subdivision, control means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a person, whether through the ownership of stock of such person or otherwise. …

(f) Cybersecurity event means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an information system or information stored on such information system.

(g) Cybersecurity incident means a cybersecurity event that has occurred at the covered entity, its affiliates, or a third-party service provider that:

(1) impacts the covered entity and requires the covered entity to notify any government body, self-regulatory agency or any other supervisory body;

(2) has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity; or

(3) results in the deployment of ransomware within a material part of the covered entity's information systems.

(m) Person means any individual or entity, including but not limited to any partnership, corporation, branch, agency or association. …

(s) Third-party service provider(s) means a person that:

(1) is not an affiliate of the covered entity;

(2) is not a governmental entity;

(3) provides services to the covered entity; and

(4) maintains, processes or otherwise is permitted access to nonpublic information through its provision of services to the covered entity.

The incident at this wholesaler was clearly a “cybersecurity event" because it was a successful act to disrupt an information system. Mission accomplished. In addition, it was a cybersecurity event that occurred at a “third-party service provider" because the wholesaler does not have an ownership relationship with retail agencies, isn't a governmental entity, provides services to the retailers, and (I assume) has access to the retailer's non-public information. That meets the first part of the definition of “cybersecurity incident."

However, the incident does not fit the three other parts of the definition:

  • It impacts the retail agency but there is no indication (yet) that a report to law enforcement is necessary – the wholesaler said, “To date, there is no evidence that any data has been misused in any way." If the retailers' clients' private information has not been exposed, no report to law enforcement is necessary.
  • It does not appear to have a reasonable likelihood of materially harming any material part of the retailer's normal operations, since nothing has been reported about the incident shutting down retailers.
  • No ransomware has been deployed in retailers' computer systems.

Since the incident does not meet any of those three criteria, it is not a “cybersecurity incident." A cybersecurity event that is not a cybersecurity incident does not require a notice to DFS. That could change, especially if the wholesaler does eventually report that private data was exposed and they had to notify the police. Any future communications from them on this will be important.​

1 - 10Next

 ‭(Hidden)‬ Blog Tools