June 22, 2017
Come August 28, insurance brokerage firms licensed to do business in New York will be required to submit and maintain a written cybersecurity policy, appoint a chief information security officer (CISO) and submit an annual compliance certificate, along with additional policies and procedures (there are some exemptions for certain firms). This marks the end of the 180-day transitional period built into the New York cybersecurity regulation that went into law on March 1, 2017.
The New York law typifies the big push for cybersecurity regulation across the globe and is groundbreaking in the U.S. in several respects. First, it is a mandatory regulation, as opposed to “guidance.” Second, it is extremely prescriptive and comprehensive in scope, covering security risks throughout the entire information lifecycle. Third, the regulation places responsibility for cybersecurity squarely on the board of directors and senior management team. Failure to comply with state and federal standards could lead to massive fines.
This is just the beginning. Colorado has already announced a proposed rule that makes clear what securities advisers and broker-dealers need to do to protect clients’ electronic data. Additionally, the European Union’s (EU) Global Data Protection Regulation (GDPR) goes into effect May 25, 2018, and is even more onerous than regulations we are seeing in the U.S. It also applies to every company processing personal data of EU citizens, not just those inside the EU. With increased regulations a certainty, staying ahead of the curve is critical to adapt to new compliance requirements.
Check out The Council’s webinar on the New York regulation and how it affects brokerage firms: New York’s Cybersecurity Rule: How will it affect your firm?