On November 9, 2015, the New York Department of Financial Services (NYDFS) issued a letter that describes what insurers can expect from the Department’s ongoing assessment of cybersecurity measures. The letter parallels concerns raised in NYDFS’s February 2015 report, which noted low levels of CEO attention to cybersecurity issues and high levels of information sharing with third-party service providers.
The letter lists eight areas where “potential regulations” would set specific requirements. Given the Department’s concern for the security of consumer information held by large insurance entities, it is unlikely that this letter is merely a general statement of areas the Department is considering regulating. More likely, the eight areas analyzed below preview regulatory provisions in the works.
Cybersecurity Policies and Procedures: The Department outlines an extensive 12-point list of subject areas they expect to be addressed by entities’ cybersecurity policies and procedures. These include:
(1) Information security
(2) Data governance and classification
(3) Access controls and identity management
(4) Business continuity and disaster recovery planning and resources
(5) Capacity and performance planning
(6) Systems operations and availability concerns
(7) Systems and network security
(8) Systems and application development and quality assurance
(9) Physical security and environmental controls
(10) Customer data privacy
(11) Vendor and third-party service provider management
(12) Incident response, including setting clearly defined roles and decision-making authority
Though large insurers already have many of these policies and procedures in place, this list becomes more onerous when read in conjunction with Section 5. Section 5 states that “[e]ach covered entity would be required to maintain and implement written procedures, guidelines, and standards reasonably designed to ensure the security of all applications utilized by the entity.” If this formulation is preserved in the final regulations issued by NYDFS, it would be insufficient for insurers to merely implement these policies and procedures. Rather, they would also have to meet a standard of reasonableness in that implementation. As discussed in Section 5, this may prove challenging. For the full article click here
from cyber security caucus http://ift.tt/1lffWx9
via IFTTT
No comments:
Post a Comment