Cybersecurity is top of mind for insurers following the implementation of New York State’s new cybersecurity regulations this past March. While these currently only affect carriers operating in NY, other states seem likely to adopt versions of the NYS regulations rather than wait on the NAIC’s Model Law. These regulations are notable for their unprecedented standards and strict requirements, including instituting a formal CISO, documenting policies, and submitting to regular assessments. Despite having until February 2018 to comply with the new regulations, carriers are already anticipating shifts in both resources and strategies.
One of the greatest challenges insurers will face in light of these new regulations will be
Additionally, carriers will be required to establish and maintain cybersecurity programs with a host of regulatory requirements, as well as submit to risk assessments at least annually, and vulnerability assessments bi-annually. Insurers will also need to establish policies and procedures for the destruction of nonpublic information that is no longer required. It should be noted that the definition of “nonpublic information” in New York General Business Law is substantially more expansive than “private information” as defined in the proposed NAIC regulation, making for a significant data management burden. Novarica studies show that insurers spend an average of 10% of IT budgets on security, but it is clear that these additional requirements, along with any possible technology investments necessitated by the new regulations, will drive that cost up, requiring CIOs to rethink other IT priorities.
For more on this, see our recent brief:
This content has been reprinted with permission
