Page 9 - Cybersecurity
P. 9
NYLJ.COM | Cybersecurity | MONDAY, JUNE 5, 2017 | S9
New DFS Cybersecurity Regulations Are Here: Will Your Insurance Protect You?
BY ANDREW M. REIDY AND JOSEPH M. SAKA
New York always is at the vanguard of innovation when it comes to making people’s lives better with such inven- tions as air conditioning, credit cards and, not to be forgotten, the Cronut. This year, New York again is at the forefront of change. On March 1, 2017, the New York Department of Financial Services (DFS) issued “first-in- the-nation” cybersecurity regulations. 23 NYCRR 500. Governor Andrew Cuomo stated that the regulations will help assure that the financial services industry “has the neces- sary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes.”
The regulations impose stringent require- ments on all businesses regulated by DFS, including banks, insurers, and other finan- cial services companies. Subject entities, for example, will be required to appoint a chief information security officer, conduct regular cyber testing, provide cybersecurity awareness training, and implement multi- factor authentication. By August 28 of this year, covered businesses are required to meet certain of the regulations. By Feb. 15, 2018, companies are required to file a certification confirming compliance with the regulations. By March 2019, companies will be required to look beyond their own practices to ensure that vendors and third- party contractors also are meeting certain standards.
The requirements are not optional. Com- pliance with regulations, however, does not immunize businesses from potential liability. Industry experts are expecting that the new regulations may spawn even more claims relating to compliance.
Sophisticated businesses recognize that their insurance policies can help them man- age this risk. But planning ahead is critical. As companies consider their readiness to meet the DFS cybersecurity regulations, they also should be considering the suf- ficiency of their insurance policies. From an insurance perspective, there are at least four steps every New York business should be taking right now to stay ahead of the curve:
Understand Your Potential Liability
Step one in assessing the adequacy of your organization’s insurance is under- standing your key risks. One size does not fit all. For some, there will be exposure
ANDREW M. REIDY is a partner and JOSEPH M. SAKA is counsel in Lowenstein Sandler’s insurance recovery group.
After obtaining an understanding of key exposures, one needs to review insurance policies to assess the scope of coverage.
may be available under “traditional” insur- ance policies, such as directors and officers (D&O) liability insurance policies, errors and omissions insurance policies, general liability insurance policies, and fidelity insurance poli- cies. For instance, one prevalent risk recently has been ransomware attacks, and coverage for the “ransom” payment or consequent business interruption losses may be cov- ered under fidelity bonds or crime policies. D&O insurance may cover securities lawsuits based on alleged misrepresentations regard- ing cyber preparedness.
If your company has not purchased a stand- alone cyber insurance policy yet, now is a good time to start looking to do so. Although the market is still developing, in recent years, the insurance industry has done a much bet- ter job responding to consumer demand. The underwriting process remains tedious, but it is less burdensome than it once was. With a more extensive loss history, » Page S13
to liability from storage of payment card information. For organizations with many employees, confidential information regard- ing employees will be a concern. Whatever the case, make sure you identify likely risks or exposures. By doing this on the front end, you can both make sure your insurance policies are properly structured and save money by avoiding premiums for coverage you do not need.
With the new DFS cybersecurity regu- lations, it is likely that companies will be exposed to altogether new claims. For exam- ple, with the certification requirement, busi- nesses and their directors and officers may be exposed to lawsuits (including securities lawsuits) based on false or incomplete cer-
tifications to the DFS. As another example, state regulators may bring regulatory actions against companies for failure to comply with the regulations. In the event of a data breach, businesses also should expect that consum- ers and affected parties will cite any failure to comply with the DFS regulations when bringing claims. Companies should have protection from these potential liabilities in their policies.
Understand Which Policies May Respond
After obtaining an understanding of key exposures, one needs to review insurance pol- icies to assess the scope of coverage. Where should you look? Everywhere. Some coverage
SHUTTERSTOCK