Insurance LawJoshua A. Mooney and Richard Borden, The Legal Intelligencer
5 Things Insurers' GCs and Their Boards Must Know for Cybersecurity
Cyberregulation and the meaning of reasonable cybersecurity measures are changing rapidly. Insurance companies are in the red zone for new regulatory schemes and heightening expectations of duties of care that are well beyond the responsibility of a company's CIO. In January, the New York State Department of Financial Services (NYDFS) promulgated 23 NYCRR 500, a first-of-its-kind cyberregulation that requires companies to conduct assessments of their information systems and affirmatively build cybersecurity policies and programs based on those assessments. This includes creating oversight committees of senior officers, reliable chains of communication, and internal reports to educate appropriate decision-makers. The regulation also requires companies to make determinations as to the materiality of risks and events that may implicate other reporting obligations, such as SEC reporting requirements of public entities. The approach outlined in the NYDFS regulation is catching on. Recent NAIC Insurance Data Security Model Law drafts (drafts four and five) are based on the regulation and incorporate many of the same requirements. So is pending legislation in other states.
This premium content is reserved for New York Law Journal subscribers.
Continue reading by getting started with a subscription.
Already a subscriber? Log in now