On March 1, 2017 the cybersecurity regulation of the New York Department of Financial Services (the “DFS Regulation”) took effect, requiring subject financial institutions, including insurance companies, (“Covered Entities”) to among other things adopt written information security programs to address the protection of nonpublic information and information systems. See 23 NYCRR Part 500. The National Association of Insurance Commissioners (“NAIC”), which had separately been preparing a model cybersecurity law, adopted a model law that closely resembled the DFS Regulation.[1] A version of the NAIC model law was first enacted in South Carolina, with Ohio, Michigan, and Mississippi following suit, [2] and similar bills are pending in Connecticut, New Hampshire, and Nevada.[3] However, none of the laws as enacted were exactly the same as each other, and none precisely followed the NAIC model.
So what’s going on?
In concept, the laws are substantially similar. Each requires Covered Entities to adopt cybersecurity programs and policies to protect information systems and nonpublic information. Further, they require each Covered Entity to perform a risk assessment and base its programs and policies thereon, to develop an incident response plan, and to investigate and report data breaches to regulatory authorities in their respective states. Finally, the laws provide for some limited exemptions from having to comply with their requirements based on compliance with, for example, the Health Insurance Portability and Accountability Act (“HIPAA”), or based on the size of the licensee.
Each law differs in some respects, however, including the nature and scope of exemptions, deadlines for reporting certain data breaches, and particular requirements for written policies. Covered Entities should be attuned to these differences when developing compliance programs. The following is a summary of some of these differences.
| NY DFS Cybersecurity Regulation | NAIC Model | South Carolina | Ohio | Michigan | Mississippi | |
| Cybersecurity Event – Definition | “[A]ny act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System.”[4] | “[A]n event resulting in unauthorized access to, disruption or misuse of, an Information System or information stored on such Information System.” Excludes any event where the data has been encrypted and the key has not been stolen, as well as events in which the Licensee has determined that the Nonpublic Information accessed has not been used or released and has been returned or destroyed.[5]
|
Same definition and exclusions as the NAIC model.[6] | “[A]n event resulting in unauthorized access to, disruption of, or misuse of an information
system or nonpublic information stored on an information system that has a reasonable likelihood of materially harming any consumer residing in this state or any material part of the normal operations of the licensee.” Same exclusions as NAIC model. [7] |
Same definition and exceptions as NAIC model.[8] | Same definition and exclusions as NAIC model.[9] |
| Entities subject to the law | “[A]ny entity operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under [New York’s] Banking Law, Insurance Law or the Financial Services Law.”[10] | Insurance licensees of a state. | Entities licensed under the insurance laws of South Carolina.[11] | Entities licensed under the insurance laws of Ohio.[12] | Entities licensed under the insurance laws of Michigan.[13] | Entities licensed under the insurance laws of Mississippi.[14] |
| Third Party Service Provider Policy | Each Covered Entity must develop and implement a policy addressing the identification of each third party service provider, an assessment of their risk, due diligence with respect to each third party service provider, minimum cybersecurity practices third party service providers must maintain in order for the covered entity to continue to do business with them, and contractual representations and warranties that the covered entities contracts with third party service providers should contain.[15] | Insurance licensees must provide oversight of third party service provider arrangements including due diligence and requiring third party service providers to implement appropriate technical and physical measures to secure Information Systems and Nonpublic Information.[16] | Same as NAIC model.[17] | Same as NAIC model.[18] | Same as NAIC model.[19] | Same as NAIC model.[20] |
| Certification | All Covered Entities must certify compliance with the Superintendent of the Department of Financial Services annually and not later than February 15. | Licensees domiciled within a state must provide certification of compliance with risk assessment, cybersecurity program, and third party service provider requirements to the state’s insurance commissioner annually by Feb. 15.[21] | Same as NAIC model with respect to insurance licensees domiciled in South Carolina.[22] | Same with respect to insurance licensees domiciled in Ohio. However, also allows insurance companies domiciled and licensed in Ohio to submit a written statement certifying compliance with the requirements of Ohio Stat. § 3965.02 as part of the insurer’s corporate governance annual disclosure.[23] | Same as NAIC model with respect to insurance licensees domiciled in Michigan.[24] | Same as NAIC model with respect to insurance licensees domiciled in Mississippi.[25] |
| Breach Notification — Deadline | 72 hours from the determination that a cybersecurity event has occurred.[26] | 72 hours after determining that a cybersecurity event has occurred.[27] | Same as NAIC Model.[28] | As promptly as possible, but no later than 3 business days after a determination that a cybersecurity event has occurred.[29] | As promptly as possible, but no later than 10 days after a determination that a cybersecurity event . . . has occurred.”[30] | As promptly as possible, but no later than 3 business days after a determination that a cybersecurity event has occurred.[31] |
| Breach Notification — Triggering Events | Either of the following:
1. Cybersecurity event impacting covered entity for which notice is required to be provided to any government or regulatory body; 2. Cybersecurity events that have a reasonable likelihood of harming any material part of the normal operations of the covered entity.[32]
|
When either of the following criteria has been met:
1. The state is the licensee’s state of domicile or home state, or 2. The licensee reasonably believes that the nonpublic information involved is of more than 250 or more consumers residing in the state, and either of the following are met: a. The event requires notice to be provided to a government body, self-regulatory agency, or any other body under state or federal law, or b. The event has a reasonable likelihood of materially harming: i. Any consumer residing in the state, or ii. Any material part of the operations of the licensee.[33]
|
Same as NAIC Model. [34]
|
When either of the following criteria has been met:
1. Both of the following apply: a. Ohio is the licensee’s state of domicile or home state, and b. The cybersecurity vent has a reasonable likelihood of harming a consumer or a material part of the normal operation of the licensee, or 2. The licensee reasonably believes that the nonpublic information involved relates to 250 or more consumers residing in Ohio and the cybersecurity event is either of the following: a. A cybersecurity event impacting the licensee of which notice is required to be provided to any government, self-regulatory agency, or any other supervisory body pursuant to any state or federal law, or b. A cybsersecurity event that has a reasonable likelihood of materially harming either of the following: i. Any consumer in Ohio, or ii. Any material part of the normal operations of the licensee.[35]
|
When either of the following criteria has been met:
1. Michigan is the licensee’s state of domicile or home state, and the cybersecurity event has a reasonable likelihood of materially harming either of the following: a. A consumer residing in Michigan, or b. Any material part of a normal operation of the licensee, or 2. The licensee reasonably believes that the nonpublic information involved is of 250 or more consumers residing in Michigan and is either of the following: a. A cybersecurity event impacting the licensee of which notice is required to be provided to any agency or body under state or federal law, or b. A cybersecurity event that has a reasonable likelihood of materially harming either of the following: i. Any consumer residing in this state, or ii. Any material part of the normal operation of the licensee.[36] |
Substantially the same as Michigan’s law.[37]
|
| Exceptions –Size | Fewer than 10 employees, or with gross annual revenue less than $5 million, or year-end total assets less than $10 million. | Fewer than 10 employees. No revenue or asset threshold.[38] | Same as NAIC model.[39] | Same as NY Regulation.[40] | Fewer than 25 employees. No revenue or asset threshold.[41] | The licensee has fewer than 50 employees, or has less than $5 million in gross annual revenue, or has less than $10 million in year-end total assets, or is an insurance producer or adjuster.[42] |
| Exceptions –Cybersecurity Programs of other covered entities | Covered entities who are subject to the cybersecurity programs of another covered entity are not required to adopt their own cybersecurity programs (e.g., subsidiaries of larger parent companies).[43] | An employee, agent, or designee of a licensee who is also a licensee is exempt from the information security program portions of the Model Act and need not develop its own Information Security program to the extent that it is covered by the information security program of another licensee.[44] | Substantially the same as the NAIC model.[45] | Substantially the same as the NAIC model.[46]
|
Substantially the same as the NAIC model.[47] | Substantially the same as the NAIC model.[48] |
| Exceptions –Compliance with HIPAA | The NY DFS regulation does not contain an exemption for entities subject to and in compliance with HIPAA. | A licensee subject to HIPAA that has established and maintains an information security program pursuant to HIPAA will be considered to meet the information security program requirements of the Model Act.[49]
|
A licensee subject to HIPAA will be considered to meet the requirements of § 38-99-20.[50] | Substantially the same as the NAIC model.[51] | Substantially the same as the NAIC model.[52] | Substantially the same as the NAIC model.[53] |
[1] Click here for prior coverage of the NY DFS cybersecurity regulation and the NAIC model law.
[2] Mississippi (Senate Bill No. 2831) approved by Governor Phil Bryant on April 3, and scheduled to take effect July 1, 2019.
[3] Similar laws are now pending in other states, including Connecticut (Raised Bill 903), New Hampshire (Senate Bill 194-FN), and Nevada (Senate Bill 21).
[4] 23 NYCRR 500.01(d) (emphasis added).
[5] Model 668, § 3.D.
[6] S.C. Code of Laws § 38-99-10(3).
[7] Ohio Rev. Code § 3965.01(E) (emphasis added).
[8] Mich. Comp. Laws § 500.553(c).
[9] Miss. SB 2831, Section 3(d)
[10] 23 NYCRR 500.01(c).
[11] S.C. Code of Laws § 38-99-10(9).
[12] Ohio Rev. Code § 3965.01(M).
[13] Mich. Comp. Laws § 500.553(g).
[14] Miss. SB 2831, § 3(i).
[15] 23 NYCRR 500.11.
[16] Model 668, § 4(F).
[17] S.C. Code of Laws § 38-99-20(F).
[18] Ohio Rev. Code § 3965.02(F).
[19] Mich. Comp. Laws § 500.555(6).
[20] Miss. SB 2831, § 4(6).
[21] Model 668, § 4(I).
[22] S.C. Code of Laws § 38-99-20(I).
[23] Ohio Rev. Code § 3965.02(I). Further, the Ohio statute provides that a licensee that meets the risk assessment, cybersecurity program, and other requirements of Ohio Rev. Code 3965.02 “shall be deemed to have implemented a cybersecurity program that reasonably conforms to an industry-recognized cybersecurity framework for the purposes of Chapter 1354 of the Ohio Revised Code.”
[24] Mich. Comp. Laws § 500.555(9).
[25] Miss. SB 2831, § 4(9).
[26] 23 NYCRR 500.17(a).
[27] Model 668, § 6.
[28] S.C. Code of Laws § 38-99-40(A).
[29] Ohio Rev. Code § 3965.04(A).
[30] Mich. Comp. Laws § 500.559(1).
[31] Miss. SB 2831, § 6(1).
[32] 23 NYCRR 500.17(a).
[33] Model 668, § 6(A).
[34] S.C. Code of Laws § 38-99-40(A).
[35] Ohio Rev. Code § 3965.04(A)(1).
[36] Mich. Comp. Laws §§ 500.559(1)(a) and (b). The Michigan statute also contains a provision regarding the notification of consumers that none of the other statutes contain. See Mich. Comp. Laws § 500.561.
[37] Miss. SB 2831, §§ 6(1)(a) and (b).
[38] Model Act 668, § 9(A)(1).
[39] S.C. Code of Laws § 38-99-70(A)(1).
[40] Ohio Rev. Code § 3965.07(A).
[41] Mich. Comp. Laws § 500.565(1).
[42] Miss. SB 2831, § 9(1)(a) (emphasis added).
[43] 23 NYCRR § 500.19(b)
[44] Model Act 668, § 9(A)(3).
[45] S.C. Code of Laws § 38-99-70(A)(2).
[46] Ohio Rev. Code § 3965.07(C).
[47] Mich. Comp. Laws § 500.565(3).
[48] SB 2831, § 9(c).
[49] Model Act 668, § 9(A)(2). Licensees must still meet the breach investigation and reporting requirements of the model act.
[50] The South Carolina Department of Insurance has clarified that, despite the circular and unclear language of the statute, it interprets this provision of the statute to provide licensees subject to HIPAA with an exemption from complying with the information security provisions of §§ 38-99-20(A) through (H), but not the notification provisions of 38-99-20(I), or the cybersecurity event investigation and reporting requirements of §§ 38-99-30 and 38-99-40.
[51] Ohio Rev. Code § 3965.07(B).
[52] Mich. Comp. Laws § 500.565(2).
[53] SB 2831, Section 9(1)(b). The Mississippi proposed law also contains an exemption for a licensee affiliated with a depository institution that maintains an information security program in compliance with interagency guidelines promulgated under the Gramm-Leach-Bliley Act. SB 2831, Section 9(1)(d). Such exemption does not appear in the NAIC model law or similar laws adopted by other states.
