Interactive Webinar Highlights Posted for ‘New York’s New Cyber Regulation: A Producer’s Guide to Compliance’

OLDWICK, N.J.--()--The Excess Line Association of New York (ELANY) and A.M. Best have posted an interactive video presentation based on a recent national web broadcast in which experts guided New York-licensed resident and non-resident producers through a practical approach to compliance with New York’s new cybersecurity regulation, including obligations applying to “exempt” firms and individuals.

Speakers included:

  • Howard Greene, Director of Strategic Initiatives, ELANY; and
  • Joe Yetto, President, TAG Solutions.

Following the presentation, the webinar was compiled into stand-alone segments that address various aspects of complying with New York’s cybersecurity regulation.

The video-based interactive presentation is available at:

A printable version of the highlights in online publication formation is available at:

Segments include:

01 - Introductions:

02 - The Regulation: Several years of preparation became reality when the New York Department of Financial Services introduced its first-in-the nation cybersecurity regulation in 2017 covering agents and brokers among other financial services providers and professionals.

03 - Firms that file exemptions: It's possible to obtain exemption from some of the regulation’s requirements.

04 - Individual Exemptions: Individuals who are fully covered under a firm’s program are broadly exempt.

05 - Compliance certification: By February 15, 2018, many New York licensees must certify compliance with the state's cybersecurity regulation.

06 - Compliance Requirements For Initial Certification: Only some requirements must be complied with for the initial February 15, 2018 certification.

07 - If You Can't Meet the Certification Deadline: Organizations have a lot of work to complete by February 15, 2018. Those that can't make that deadline have limited options, but there are approaches they can try.

08 - Where to Start: Simply working in chronological order based on compliance dates may not be the best way to start.

09 - Completing the Risk Assessment: Completing the risk assessment can be a challenging task. One way to make that task easier is to look to frameworks or approaches that have already been developed and become established.

10 - Creating a Cybersecurity Program: The actual drafting of the program should be done in steps. It becomes another plan for the organization, comparable to sales, marketing and other plans that collectively drive the business and shape the work environment.

11 - The 14-Part Cybersecurity Policy: Working methodically, keeping the language simple and relying on an established framework will help policy authors work through one of the more involved parts of the regulation.

12 - What's a Cybersecurity Event and What's Reportable? Certain cyber events must be reported to New York's Department of Financial Services within 72 hours of occurrence. Reporting requirements vary, but the DFS is adamant that events involving material consumer harm must be reported.

13 - Defining "Nonpublic Information:" Regulators are looking to protect against or be notified of breaches involving various forms of business, third party and health information.

14 - What’s an "Information System?" Information systems are defined broadly and include agency management systems, email systems and more.

15 - Listing the 14 Policies: To be compliant, covered organizations must document their policies in 14 areas. Some are similar. Many of these may already be in some form of use.

16 - Implementing an Incident Response Plan: Part of developing an incident response plan is determining just what constitutes an incident. Then it's on to who should handle and how.

17 - Assigning a Chief Information Security Officer: Covered organizations are required to designate a Chief Information Security Officer. However, that task may be handled by a third party or on a part-time basis, depending on the scope and needs of the organization.

18 - Reporting: Reporting must be done at least annually, but panelists recommend documenting throughout the year, keeping track of policy changes, risk assessments and more. This report can be handled via outsourced support or by internal staff.

19 - Identifying Qualified Cybersecurity Personnel: Cybersecurity personnel can be in-house or outsourced. What's important is that they have a sufficient background, participate in ongoing training and remain updated so they can address updated risks.

20 - Training Cybersecurity Personnel and Documentation: Training is important, and so is maintaining records that the training has taken place. Documentation can include times and places, books read, conferences attended, certifications earned and more.

21 - Penetration Test and Monitoring Requirements: The best evidence of cybersecurity effectiveness is defending against attacks, both staged and third-party, and demonstrating that systems are being monitored to detect further intrusions.

22 - Cybersecurity Awareness Training: All staff should learn how to detect suspicious activity.

23 - Does Compliance mean Safety? Achieving compliance is only the beginning. Firms are responsible for their own safety and must remain abreast of new technologies and threats.

24 - The Costs of Not Complying: Firms may have a variety of reasons for not complying, ranging from errors to neglect. The less interest a firm shows in compliance, the greater the likelihood of harsh penalties.

25 - Reporting Cyber Breaches: Firms are required to report breaches affecting New York firms and individuals. Beyond that, the jurisdiction of an impacted party will dictate reporting obligations.

26 - NIST: The National Institute of Standards for Technology offers several frameworks that firms can refer to for guidance in crafting their own policies.

27 - Training Resources for Chief Information Security Officers: Entire industries have sprung up around preparing and provisioning firms to become less vulnerable to cyberattacks.

28 - Third Party Providers: Turning over servers and technology oversight to third parties does not excuse licensees from their responsibilities under the regulation.

29 - Applicability to Small Entities: Small size alone does not exclude firms or individuals from complying with New York's cybersecurity requirements, although one or more limited exemptions may apply.

30 - Where to Find the Regulation and Accompanying Requirements: New York's cybersecurity requirements are publicly available and broadly referenced online.

31 - The Biggest Challenges Firms Face: New York's cybersecurity regulations may create short-term burdens, but the long-term benefits include improved defenses against cyberattacks and ongoing attention to important risk management issues.

32 - General Data Protection Regulation: The National Association of Insurance Commissioners, along with many individual states, is following in the footsteps of New York and European regulators who have imposed more-stringent requirements on firms' storage and treatment of data.

33 - Key Takeaways: Don't Delay: Firms that begin early, plan their work and follow through should have little trouble in meeting requirements. Make sure to certify compliance by February 15, 2018.

34 - Impact on New Hires and New Licensees: Individual licensees who join a new firm must file for an exemption if applicable, or file to continue an existing exemption annually.

Learn more about Best’s Review and A.M. Best’s webinar program at:

A.M. Best is the world’s oldest and most authoritative insurance rating and information source. For more information, visit

Copyright © 2018 by A.M. Best Company, Inc. ALL RIGHTS RESERVED.


A.M. Best
Lee McDonald, +1 908-439-2200, ext. 5561
Group Vice President, Publication & News Services


A.M. Best
Lee McDonald, +1 908-439-2200, ext. 5561
Group Vice President, Publication & News Services