Feb 11, 2019
If you write business in N.Y.: March 1 cyber security deadline nears
The last section of New York’s cyber security regulation—500.11: Third-party service provider security policy—goes into effect on March 1, 2019. This section requires all covered entities to implement written policies and procedures designed to ensure that information systems and nonpublic information that are accessible to, or held by, third-party service providers are secure. This means you have to verify that all of your third parties who have access to nonpublic information (e.g., Social Security numbers, policy information, home addresses) have adequate cyber security protections in place to protect such data.
Who is a third party?
The regulation defines a third party as a person who provides service to you (the covered entity) and maintains, processes or otherwise is permitted access to nonpublic information. This means that any outside party that you allow to access your computer system and its nonpublic information is considered a third party (e.g., payroll services, data storage services). The New York State Department of Financial Services has said that covered entities can be third parties of one another, thus carriers and agents are third parties of each other.
Don’t miss out on our upcoming Webinar
Join PIA’s Director of Government & Industry Affairs Bradford J. Lachut, Esq. on Tuesday, Feb. 26, 2019, from 10-11 a.m., for a PIA Webinar in which he will explore the requirements for insurance agents and agencies under the cyber security regulation with a concentration of the third-party compliance deadline on March 1, 2019. For more information or to register, select your state: Connecticut; New Hampshire; New Jersey; New York and Vermont.
Does PIA have resources to help me comply with this section of the regulation?
Yes! PIA has created a sample letter and questionnaire for you to use to evaluate the cyber protections in place by your third-party vendors. This questionnaire can be used as is, or it can be customized for your agency’s specific needs. Association members also have access to information in the cyber security section of its Privacy Compliance Central, which includes in-depth resources the final regulation and how to comply with it; answers to commonly asked questions about this regulation; and QuickSource documents. If you have any additional questions, contact PIA’s Industry Resource Center at firstname.lastname@example.org.
Don’t want to do it alone?
PIA has partnered with TAG Solutions to offer Compliance Plus and Do-It-Yourself programs for members to help them comply with this regulation. For more information, complete an online form and one of TAG Solutions’ representatives will contact you to discuss your options.