Big I New York has unveiled a new resource to help agencies comply with part of the New York financial services cybersecurity regulation. Specifically, it will make it easier for you to comply with the requirements regarding third-party service providers. You now have one-stop access to information about the cybersecurity practices of large publicly traded insurance carrier groups.
The regulation’s Section 500.11 requires all covered entities, including insurance agencies and brokers of any size, to “implement written policies and procedures designed to ensure the security of information systems and nonpublic information that are accessible to, or held by, third-party service providers." (See this flowchart to determine who is a third-party service provider for your agency.) The policies and procedures, which the agency must base on its annual or more frequent risk assessments, must address among other things, “due diligence processes used to evaluate the adequacy of cybersecurity practices of such third-party service providers …"
If a third-party service provider has access to your computer systems and data, the regulation requires you to investigate what they’re doing to prevent data breaches. (I recorded a 20-minute video about this requirement in 2019.) The most common way entities perform this due diligence is to send third parties a questionnaire like the one we created for you to use. However, as I said in the video, the questionnaire is one way to perform the due diligence; it is not the only way. The text I quoted above does not say anything about a questionnaire. It says the policies and procedures must address “due diligence" without telling you how to do it.
Section 500.11 requires each covered entity to establish “minimum cybersecurity practices required to be met by such third-party service providers in order for them to do business with the covered entity." What those minimum practices must be are up to you; the regulation does not set them. For example, you could say that every third-party service provider must meet at least the requirements of the New York regulation.
I’ve said it many times: The good thing about this regulation is it gives entities a lot of leeway on how to comply. The bad thing is it gives entities a lot of leeway on how to comply. You must figure out what works best for you.
The New York State Department of Financial Services (DFS) has said that an insurance agency is a third-party service provider to a carrier, and a carrier is a third-party service provider to an agency. This means the agency must perform due diligence on its carriers. Getting a response from a large national carrier to a questionnaire may be futile. Our new resource makes that unnecessary.
U.S. Securities and Exchange Commission rules require publicly traded companies to report on the cybersecurity programs as part of their annual 10-K reports. The new list posted in the Cybersecurity section of our website links to those sections of the 10-K reports for thirteen carrier groups, including Travelers, The Hartford, AIG, Erie, Progressive, and others that many Big I New York members represent.
After you’ve decided what your minimum requirements are, download the report for the carrier group you’re investigating, compare the contents of that report to your requirements, and decide whether the carrier meets them. If they do not, you then must decide whether to continue doing business with them. The regulation does not require you to stop doing business with them. However, if they ever suffer a breach that affects you or your clients, you should be able to justify a decision to do business with them to the DFS.
Companies typically make their annual 10-K reports from late January to late February. The links on the list right now are to the year-end 2023 reports. We plan to update the links in March after they’ve made the 2024 reports. We encourage you to save yourselves some work and use this information as part of your compliance efforts.
You’ll find links to the list on the main page at www.biginy.org/cyber and on the Compliance Resources page.