The insurance industry is well aware that in 2017 the New York Department of Financial Services (NYDFS) passed its landmark cybersecurity regulation for insurance companies and banks, which has now taken effect, and later that year, the National Association of Insurance Commissioners (NAIC) also adopted a model law on data security. However, many companies, who were not subject to the NYDFS because they were not licensed in New York, should be aware that they could soon be subject to cybersecurity regulations as more and more states enact their version of the NAIC model law. So far, South Carolina, Ohio, Michigan and Mississippi have adopted versions of the model law, and many other state legislatures are considering enactment of their own versions. And since the NAIC called on legislatures to adopt its model law within three years when it adopted the law in 2017, it is likely that many more states will enact similar laws next year. As more and more states adopt their own data security requirements for insurance entities, it becomes more urgent for companies to familiarize with the various requirements, and develop a compliance strategy as states enact their own cybersecurity laws. Failure to comply could lead to fines, penalties, and other enforcement actions, as well as expose an entity to reputational risk.

NYSDFS Cybersecurity Regulation

On Feb. 16, 2017, NYDFS promulgated a final regulation on Cybersecurity Requirements for Financial Services Companies. The rule, which took effect March 1, 2017, applies to insurance companies, banks, and other financial services companies regulated by NYDFS, and requires these entities to adhere to new standards to protect consumers from cyber threats.