New York Bolsters Security Standards for Insurers, but exempts certain RRGs, Captives, and Others
March 16, 2017

The New York Department of Financial Services (“DFS”) has recently taken a leading stance on strengthening the cybersecurity standards within the insurance sphere, but its reach has been curtailed due to pressures within the industry. Pursuant to 23 NYCRR Part 500 (the “Regulation”), every “Covered Entity” must maintain a cybersecurity program to protect the data of the entity. The program must, among other things, identify and assess internal and external cybersecurity risks that threaten nonpublic information, use defensive infrastructure and procedures to protect unauthorized access, and detect and respond to certain cybersecurity events.

A level of controversy has arisen around the definition of “Covered Entity” to which the Regulation applies. The Regulation applies to “Covered Entities,” defined to include to any person required to hold a license, registration, certificate or similar authorization from the DFS, including under the New York Insurance Code. Risk retention groups (“RRGs”), which are federally regulated entities under the Liability Risk Retention Act (“LRRA”), are required to register under New York Law and would appear to be captured by the Regulation. After pushback within the industry, however, just before the effective date of March 1, DFS added an exemption for entities regulated by Section 5904 of the Insurance Code, which includes RRGs not domiciled in the state. As the LRRA only gives broad regulatory authority to the home state of the RRG, the exemption helps reconcile the preemptory authority of LRRA with New York’s desire to heighten cybersecurity standards. The exemptions also include certain captives and charitable annuities societies.

Of course, there remains a desire in the industry to hold RRGs and others to appropriate cybersecurity standards, but given the exemptions, this will need to be accomplished through legislation by the domiciliary state. As such, the National Association of Insurance Commissioners (“NAIC”) is currently in the process of adoption of cyber security legislation to help promulgate uniform standards throughout the industry. We will continue to report on any new developments from the NAIC and from New York.


Visit our Insurance & Reinsurance Blog for the latest news and developments.

Visit the blog