FIRST AMERICAN was the first company fined by the Department of Financial Services of New York for non-compliance of their Cybersecurity NYCRR 500 law. If they can only had avoided it by a Third Party Assessment, read here:
New York Regulator Charges First American Unit Over 2019 Data Breach
On July 29th 2022, NYDFS released a set of Draft Amendments imposing updated rules to current policy and while the proposed changes are still being reviewed, it is important that insurance companies understand and prepare for these changes should they go into effect. This is what Insurance Companies need to know.
The new amendments now include a mandatory 24-hour notification for cyber-ransom payments, annual independent, third-party cybersecurity audits, and increased requirement for overseeing boards level of expertise on cybersecurity, among other new regulations.
Read here for more about the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, the International Standards Organization (ISO) 27001 Information Security Management, and DFS’s Ransomware Guidance outlines.
The new minimum proposed standards will be more stringent than those found in the current regulations.
Covered entities, and Class “A” Companies (entities with over 2,000 employees or over $1 billion in gross annual revenues averaged over the last three years) must maintain a cybersecurity program based on the individual company’s risk assessment which has to perform key and core functionality such as, internal and exteral risk evaluations, defensive infrastructure, risk event detection, and risk response and reporting.
Under the new proposed amendments, companies must:
- Perform an independent, third-party audit of their cybersecurity risk program every year
- Implement relevant and up-to-date defensive measures
- Maintain accurate reporting documentation
- Maintain a written cyber-risk policy approved by a board of directors annually
- Designate a CISO (Chief Information Security Officer) to oversee, implement, and report policy
- Regularly monitor and test information systems within the company including two (2) bi-annual vulnerability assessments
- Limit data access and employ password restrictions and encryption
- Provide cybersecurity training to key personnel
- Provide documented incident reports to senior level management yearly
- Secure and prevent unauthorized access to an individual’s or an entity’s non-public information
- Comply with new 24-Hour reporting requirements for any data breach or cyber-risk and more.
Insurance Companies must take steps to ensure that their cyber programs are compliant with not only the current regulations but also with proposed changes.
We at Motiva Networks can help prepare your company to be DFS Compliant. We are the only IT Firm that can assure compliance with both Insurance and State Department Cybersecurity Regulations. Our Compliance as a Service is a “Done For You” compliance assurance where we hit every bullet point the law requires, and we monitor your systems for cyberattacks 24/7/365.
Claim your FREE Cybersecurity Risk Assessment today.
Walter Contreras
Walter Contreras has over 25 years of experience in information technology, including cybersecurity, with a focus on the Insurance Industry. As both a computer scientist and a graduate of the Columbia University Business School’s Executive MBA program, Walter understands how the world’s digital transformation is impacting small and medium businesses. His mission is to deploy information technology to protect and empower entrepreneurs.
