In 2018, the Department of Financial Services unveiled a comprehensive set of Cyber Security regulations in an effort to curtail growing threat posed to information and financial systems in today’s modern world. This new set of Regulations has significant reach as it not only affects institutions regulated by the Department of Financial Services who house nonpublic information like insurance carriers, but also the law firms those institutions partner with. The Regulations are comprehensive and are meant to provide a framework as to how your company to should maintain best-practices. The Regulations can be broken down into four (4) general areas: (1) Your policy, (2) Your program, (3) Annual Reporting and (4) Third Party Considerations.
- Policy
As an insurance carrier in New York, you must have a Cybersecurity Program that is designed to protect the “protect the confidentiality, integrity and availability” of your data. What this means is that your business has a way to identity, assess risks, and has an ability to act on, in a defensive manner, to a known threat. First, you must conduct a risk assessment of your company and in response to that risk assessment, draft a written policies and procedures approved by your Board of Directors or other senior management to address information security, system and network security, and business continuity among other things.
- Program
Each insurance carrier must appoint an individual tasked with enforcing their Cybersecurity policy, named the Chief Information Security Officer. This may be a member of your company or a third party, however if there is a third party, you must maintain direction and oversight of their activity to ensure compliance with the Regulations. The Chief Information Security Officer must file a report annually to your company’s senior management on your program and relevant cybersecurity risks.
The Department of Financial Services regulations stop short of outlining required cyber security technical requirements and instead instructs insurance carriers to set their own standards after their risk assessment. This makes compliance with the Regulation hard to clarify, as each carrier will have its own Program tailored to its cyber needs. However, the Regulation does instruct you to consider the following for your Program: annual penetration testing , bi-annual vulnerability assessments, an audit trail designed to detect and respond to threats maintained for five (5) years, written procedures, guidelines and standards that are updated to address new and emerging threats, multifactor authentication, data encryption of nonpublic information, periodic training and monitoring of staff and key personnel, and incident response plan in the event of a breach, and disposal of nonpublic information.
- Reporting
As an insurance carrier, you are required to file a report annual with the Superintendent certifying that you are compliant with the new Cybersecurity regulations. The Department of Financial Services reserves the right to audit your company to ensure compliance with the new Regulations. This is why having a written policy and copies of your Risk Assessment, vulnerability testing, and assessment of your law firm is critical. Failure to maintain these records may result in hefty fines levied against your company.
As a covered entity under the regulation, your vendors – of which Jones Jones LLC would be considered – also must comply with the new Cybersecurity Regulations as well. Law firms and vendors are considered “third party service providers” and since they receive non-public information, you must only partner with a law firm who has put into place protective and industry-standard protections. This partnership is critical as in the event of a cyber-threat, the onus is placed on you, the insurance carrier, to ensure and maintain airtight security practices of your law firms. The risk of partnering with a law firm that is not prepared to comply with the Regulations is enormous, and under New York Banking Law could result in fines up to $75,000.00 per day.
What should you do? If you have not already done so, you must audit the security of your law firms to ensure compliance with these Regulations. It is recommended by the Department of Financial Services that you review your law firms’ cyber security practices regarding the following at bare minimum: their access to nonpublic information, whether they have multifactor authentication, how their data is encrypted at rest and in transit, and their notification policy in the event of a breach on behalf of the law firm.
As Jones Jones LLC takes all of its partnerships seriously, we have completely revamped our own cyber security practices to ensure your claims data is not only adequately protected, but also industry-leading.
- Jones Jones’s cybersecurity infrastructure was modeled after such industry best practices as the NIST Cybersecurity Framework, NIST Special Publication 800-53, and 20 CIS Critical Security Controls.
- Data in transit is encrypted across our network. Data at rest is encrypted using AES 256 encryption.
- All Jones Jones emails are configured with TLS encryption.
- Access to Jones Jones systems require two-factor authentication.
- Jones Jones has its information systems tested for vulnerabilities on a weekly basis.
- Jones Jones infrastructure is reviewed and maintained by a Cybersecurity committee.
- And so much more.
Partnering with a law firm that does not maintain such stringent requirements is a risk in it of itself. Rest assured your partnership with Jones Jones is safe.
