June 22, 2017

Come August 28, insurance brokerage firms licensed to do business in New York will be required to submit and maintain a written cybersecurity policy, appoint a chief information security officer (CISO) and submit an annual compliance certificate, along with additional policies and procedures (there are some exemptions for certain firms). This marks the end of the 180-day transitional period built into the New York cybersecurity regulation that went into law on March 1, 2017.

The New York law typifies the big push for cybersecurity regulation across the globe and is groundbreaking in the U.S. in several respects. First, it is a mandatory regulation, as opposed to “guidance.” Second, it is extremely prescriptive and comprehensive in scope, covering security risks throughout the entire information lifecycle. Third, the regulation places responsibility for cybersecurity squarely on the board of directors and senior management team. Failure to comply with state and federal standards could lead to massive fines.

This is just the beginning. Colorado has already announced a proposed rule that makes clear what securities advisers and broker-dealers need to do to protect clients’ electronic data. Additionally, the European Union’s (EU) Global Data Protection Regulation (GDPR) goes into effect May 25, 2018, and is even more onerous than regulations we are seeing in the U.S. It also applies to every company processing personal data of EU citizens, not just those inside the EU. With increased regulations a certainty, staying ahead of the curve is critical to adapt to new compliance requirements.

Check out The Council’s webinar on  the New York regulation  and how it affects brokerage firms: New York’s Cybersecurity Rule: How will it affect your firm?

What We’re Reading

New SEC Enforcement Chiefs See Cybercrime as Biggest Threat

The uptick in cybercrime globally has prompted the SEC to track cyber-threats more closely. In addition, recent SEC investigations have increasingly dealt with threats or attackers coming from the cyberspace.

HHS Prepares To Unveil Cybersecurity Communications Center by End of the Month

HHS will open its healthcare specific cybersecurity communications center later this month, which will serve to fill the healthcare industry’s information sharing and cybersecurity workforce gap, as well as provide small and medium-sized providers with cybersecurity resources. However, leaders of the Senate Homeland Security and Governmental Affairs Committee are asking HHS to stop building the center out of concern that it would lack the “necessary liability protections for cooperating health care institutions,” and “whether the center would be duplicative of the DHS center.”

Privacy Shield is Up for Review, and It’s Not Looking Good

Privacy Shield, the transatlantic data transfer agreement used by over 2,000 countries, is up for review this September. It has been under criticism from the start due to lukewarm U.S. support and now, with the Trump Administration in office, there is increased uncertainty regarding its effectiveness.

US Tech Firm in Blockchain Tie-up With Insurance Advisory Firm

The Bitfury Group and Risk Cooperative are forming a strategic partnership to use blockchain technology in the $60 billion insurance broking market, initially exploring cyber-insurance and political risk activities on a blockchain-based system. Bitfury has been assisting national governments as they adapt to blockchain, and believes that the technology can increase transparency, efficiency and security in the insurance industry, while fostering a new business model.

IBM Opens European X-Force Command Center In Poland

IBM Security announced the opening of the IBM X-Force Command Center in Poland, which has new cognitive capabilities, including IBM Watson for cybersecurity, expanded data localization services to address clients’ preferences and meet the EU’s General Data Protection Regulations (GDPR) requirements. This new center joins a global network of X-Force Command Centers that process over $1 trillion cyber incidents per month and builds on IBM’s $200 million investment in cyber-incident response capabilities.

Cybersecurity Insurance: A New Answer to Online Crime

Due to the Internet of Things (IoT) trend, cybersecurity insurance is on track to become the next big consumer product. Currently, AIG and New York-based Pure Insurance have designed plans for “high net-worth individuals;” and, Munich Re’s American division recently rolled out a plan for everyday consumers.

ICO in Talks on Cyber Breach Data Sharing

At the Cyber Risk & Insurance Forum (CRIF), the UK Information Commissioner’s Office (ICO) and industry professionals discussed the possibility of sharing data on types of breaches, level and timing of breaches and types of organizations hit. In turn, this would grant cyber insurers access to more reliable historical data on cyber incidents. However, some underwriters believe this level of transparency and collaboration will decrease market competition, while others, viewing it in a more positive light, feel it can paint a wider claims picture.

WannaCry Infected More Systems Globally Than Initially Reported

The WannaCry cyberattack last month is said to have infected 5-10  times as many systems as was initially reported. This now brings the total to one to two million systems. WannaCry disrupted hospitals and telecommunications companies, among others, and exemplifies the need to adapt cybersecurity capabilities to an evolving cyberthreat.