June 6, 2019
The Council has been working on an approach to standardize the monitoring processes for agents/brokers that are considered to be third-party service providers (TPSPs) of the carriers (and vice versa) under New York’s Cybersecurity Regulation. This is important to call attention to because the NY TPSP rule is a significant issue for agents, brokers and insurers doing business in the state of New York. Brokerage firms have contractual relationships with hundreds of carriers, rendering both carriers and brokerage firms potentially subject to hundreds of cybersecurity monitoring protocols as efforts are made to comply with the NY TPSP rule.
By way of background, any entity that maintains, processes or accesses nonpublic information through a New York insurance licensee is considered a third-party service provider (TPSP) of that licensee. The TPSP provision includes a due diligence requirement for licensees to “evaluate the adequacy of cybersecurity practices” of their TPSPs, as well as a periodic assessment requirement “based on the risk [TPSPs] present and the continued adequacy of [TPSPs’] cybersecurity practices.” Relying on a TPSP’s own Certifications of Compliance is not sufficient to satisfy these obligations.
In an FAQ issued last year by the New York Department of Financial Services (NYDFS) last year, it stated that licensees could be TPSPs for other licensees and would then be subject to this requirement, and they specifically cited agents as potentially being TPSPs for the carriers for which they are appointed.
Given the burdensome nature of this, The Council is working with the American Property Casualty Insurance Association (APCIA), to try to come up with a mechanism to satisfy the rule’s ongoing monitoring requirements for TPSPs through a common “best practices” monitoring solution.
It is important to note that this “monitoring solution” would not extend to standardization of producers’ or carriers’ policies and procedures, or minimum cybersecurity standards. The aspiration instead is to offer a standardized solution for licensees to evaluate the cybersecurity standards or compliance regimes of TPSPs who themselves are also licensees subject to the core requirements of the rule.
The Council and APCIA have both set up member working groups to evaluate options. If you are interested in being involved with The Council’s working group, please email John Fielding at john.fielding@ciab.com.