June 22, 2017
Come August 28, insurance brokerage firms licensed to do business in New York will be required to submit and maintain a written cybersecurity policy, appoint a chief information security officer (CISO) and submit an annual compliance certificate, along with additional policies and procedures (there are some exemptions for certain firms). This marks the end of the 180-day transitional period built into the New York cybersecurity regulation that went into law on March 1, 2017.
The New York law typifies the big push for cybersecurity regulation across the globe and is groundbreaking in the U.S. in several respects. First, it is a mandatory regulation, as opposed to “guidance.” Second, it is extremely prescriptive and comprehensive in scope, covering security risks throughout the entire information lifecycle. Third, the regulation places responsibility for cybersecurity squarely on the board of directors and senior management team. Failure to comply with state and federal standards could lead to massive fines.
This is just the beginning. Colorado has already announced a proposed rule that makes clear what securities advisers and broker-dealers need to do to protect clients’ electronic data. Additionally, the European Union’s (EU) Global Data Protection Regulation (GDPR) goes into effect May 25, 2018, and is even more onerous than regulations we are seeing in the U.S. It also applies to every company processing personal data of EU citizens, not just those inside the EU. With increased regulations a certainty, staying ahead of the curve is critical to adapt to new compliance requirements.
Check out The Council’s webinar on the New York regulation and how it affects brokerage firms: New York’s Cybersecurity Rule: How will it affect your firm?
What We’re Reading
The uptick in cybercrime globally has prompted the SEC to track cyber-threats more closely. In addition, recent SEC investigations have increasingly dealt with threats or attackers coming from the cyberspace.
HHS will open its healthcare specific cybersecurity communications center later this month, which will serve to fill the healthcare industry’s information sharing and cybersecurity workforce gap, as well as provide small and medium-sized providers with cybersecurity resources. However, leaders of the Senate Homeland Security and Governmental Affairs Committee are asking HHS to stop building the center out of concern that it would lack the “necessary liability protections for cooperating health care institutions,” and “whether the center would be duplicative of the DHS center.”
Privacy Shield, the transatlantic data transfer agreement used by over 2,000 countries, is up for review this September. It has been under criticism from the start due to lukewarm U.S. support and now, with the Trump Administration in office, there is increased uncertainty regarding its effectiveness.
The Bitfury Group and Risk Cooperative are forming a strategic partnership to use blockchain technology in the $60 billion insurance broking market, initially exploring cyber-insurance and political risk activities on a blockchain-based system. Bitfury has been assisting national governments as they adapt to blockchain, and believes that the technology can increase transparency, efficiency and security in the insurance industry, while fostering a new business model.
IBM Security announced the opening of the IBM X-Force Command Center in Poland, which has new cognitive capabilities, including IBM Watson for cybersecurity, expanded data localization services to address clients’ preferences and meet the EU’s General Data Protection Regulations (GDPR) requirements. This new center joins a global network of X-Force Command Centers that process over $1 trillion cyber incidents per month and builds on IBM’s $200 million investment in cyber-incident response capabilities.
Due to the Internet of Things (IoT) trend, cybersecurity insurance is on track to become the next big consumer product. Currently, AIG and New York-based Pure Insurance have designed plans for “high net-worth individuals;” and, Munich Re’s American division recently rolled out a plan for everyday consumers.
At the Cyber Risk & Insurance Forum (CRIF), the UK Information Commissioner’s Office (ICO) and industry professionals discussed the possibility of sharing data on types of breaches, level and timing of breaches and types of organizations hit. In turn, this would grant cyber insurers access to more reliable historical data on cyber incidents. However, some underwriters believe this level of transparency and collaboration will decrease market competition, while others, viewing it in a more positive light, feel it can paint a wider claims picture.
The WannaCry cyberattack last month is said to have infected 5-10 times as many systems as was initially reported. This now brings the total to one to two million systems. WannaCry disrupted hospitals and telecommunications companies, among others, and exemplifies the need to adapt cybersecurity capabilities to an evolving cyberthreat.