A South Carolina based wholesale insurance brokerage reported last week that they had suffered an undescribed cybersecurity incident. It closed the wholesaler for a substantial part of the week.
Some Big I New York members have asked whether the New York financial services cybersecurity regulation obligates them to notify the state Department of Financial Services (DFS) about this incident. If your agency does business with that wholesaler, you may have the same question.
Based on the information we have received and what the wholesaler has said on its website, we do not believe New York agencies have an obligation under the regulation to report this incident to the DFS. The wholesaler does, but the retail agency does not.
Section 500.17 of the regulation states:
(a) Notice of cybersecurity incident.
(1) Each covered entity shall notify the superintendent electronically in the form set forth on the department’s website as promptly as possible but in no event later than 72 hours after determining that a cybersecurity incident has occurred at the covered entity, its affiliates, or a third-party service provider.
(2) Each covered entity shall promptly provide to the superintendent any information requested regarding such incident. Covered entities shall have a continuing obligation to update the superintendent with material changes or new information previously unavailable.
The definitions in Section 500.1 state:
For purposes of this Part only, the following definitions shall apply:
(a) Affiliate means any person that controls, is controlled by or is under common control with another person. For purposes of this subdivision, control means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a person, whether through the ownership of stock of such person or otherwise. …
(f) Cybersecurity event means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an information system or information stored on such information system.
(g) Cybersecurity incident means a cybersecurity event that has occurred at the covered entity, its affiliates, or a third-party service provider that:
(1) impacts the covered entity and requires the covered entity to notify any government body, self-regulatory agency or any other supervisory body;
(2) has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity; or
(3) results in the deployment of ransomware within a material part of the covered entity’s information systems.
(m) Person means any individual or entity, including but not limited to any partnership, corporation, branch, agency or association. …
(s) Third-party service provider(s) means a person that:
(1) is not an affiliate of the covered entity;
(2) is not a governmental entity;
(3) provides services to the covered entity; and
(4) maintains, processes or otherwise is permitted access to nonpublic information through its provision of services to the covered entity.
The incident at this wholesaler was clearly a “cybersecurity event” because it was a successful act to disrupt an information system. Mission accomplished. In addition, it was a cybersecurity event that occurred at a “third-party service provider” because the wholesaler does not have an ownership relationship with retail agencies, isn’t a governmental entity, provides services to the retailers, and (I assume) has access to the retailer’s non-public information. That meets the first part of the definition of “cybersecurity incident.”
However, the incident does not fit the three other parts of the definition:
- It impacts the retail agency but there is no indication (yet) that a report to law enforcement is necessary – the wholesaler said, “To date, there is no evidence that any data has been misused in any way.” If the retailers’ clients’ private information has not been exposed, no report to law enforcement is necessary.
- It does not appear to have a reasonable likelihood of materially harming any material part of the retailer’s normal operations, since nothing has been reported about the incident shutting down retailers.
- No ransomware has been deployed in retailers’ computer systems.
Since the incident does not meet any of those three criteria, it is not a “cybersecurity incident.” A cybersecurity event that is not a cybersecurity incident does not require a notice to DFS. That could change, especially if the wholesaler does eventually report that private data was exposed and they had to notify the police. Any future communications from them on this will be important.