February 7, 2019

The Council’s legal team at Steptoe & Johnson highlighted another important interpretation of the New York Department of Financial Services’ (NYDFS) Cybersecurity Rule, which promises to have more far-reaching consequences than the one discussed in our January Cyber Watch newsletter.

Put simply, the NYDFS interpretation of the rule means that third-party service providers (TPSPs, section 500.01), including insurance intermediaries, will need to comply with cybersecurity parameters imposed upon it by the covered entity it serves. This ultimately means insurance brokers will likely be faced with numerous and distinct parameters imposed by their carrier partners. (Click here to access the full memo.)

As stated in the Steptoe memo, this means that “the NYSDFS interpretation of the Rule essentially requires producers to have their own “first-party” cybersecurity compliance structures that hopefully match the structures imposed on them by the insurers with whom they interact.” Under this interpretation, there are multiple, potentially-burdensome requirements. For example, covered entities that also qualify as TPSPs will have instituted their own cybersecurity programs based on the rule, but may also have to impose additional carrier requirements should the covered entity (the carrier) require additional compliances.

Additionally, TPSPs that qualify for exemption to the rule and have done their due diligence by filing the Notice of Exemption, may find they now have to implement the protections required by the rule anyway, or even protections beyond what the rule requires if that is what the covered entity it serves necessitates. Granted, the TPSP need not comply with the entire cybersecurity program of every covered entity it serves, but that is cold comfort considering the large number of covered entities with which any given TPSP could potentially interact with, all of whom could have different and possibly contradictory cybersecurity requirements for their TPSPs.

It is especially important to be aware of the additional requirements facing TPSPs in view of the recent reminder issued by the NYDFS. On January 31, 2019, the NYDFS reiterated that the final deadline for implementing protections under the rule is March 1, 2019, and the deadline for filing a Certificate of Compliance is February 15, 2019.