As we and our sister blogs have previously reported (see here, here, and here), the New York State Department of Financial Services enacted Cybsersecurity Requirements for Financial Services Companies, 23 NYCRR 500, on March 1, 2017. The first certification of compliance with this regulation is due today, February 15, 2018.
The regulation requires “covered entities”—meaning any person or non-governmental entity operating under or required to operate under authorization under the Banking Law, Insurance Law, or Financial Services law, to maintain a robust cybersecurity program that includes monitoring, testing, and training, as well as written cybersecurity policies that include periodic risk assessments. The regulation also requires covered entities to designate a qualified “Chief Information Security Officer” and require that the entity establish a written incident response plan to promptly respond to and recover from a cybersecurity incident. The regulation further requires a covered entity to provide notice of a breach or cybersecurity event to the superintendent within 72 hours of determination that a cyber event has occurred and empowers the superintendent to enforce the provisions of the regulation.
Today’s compliance deadline serves as a reminder for corporate insureds of the importance of comprehensive cyber insurance coverage to mitigate and manage cyber risk. Indeed, many of the regulation’s requirements are consistent with current cyber insurance underwriting standards such as the requirements of written policies and response plans.
In addition, corporate insureds should remember that cyber insurance policies cover far more than just first-party liabilities, such as the costs of collecting or retrieving lost data, or third-party liabilities, such as lawsuits or regulatory claims arising from a cyber breach. These policies also can help manage cyber risk and response as they typically include coverage for forensic costs to determine the existence, cause, and scope of a cyber event, legal and public relations expenses related to a cyber event, breach notification costs, data restoration, and other breach response costs. Finally, corporate policyholders should also ensure that their directors & officers (D&O) or management liability insurance coverage sufficiently protects against cyber risks and liabilities, as directors and officers are increasingly the target of shareholder derivative actions and/or regulatory actions arising from major cyber breaches and alleging systematic failure of cyber security controls or procedures.