Cybersecurity Compliance Requirements are Piling Up

Beginning October 1, 2017, health insurers, health care centers, pharmacy benefits managers, and third party administrators that administer health benefits, and utilization of new companies, licensed in Connecticut, will be required to file their first annual certification to the insurance department that it maintains a comprehensive information security program in compliance with the Connecticut Health Records Data Security Law that became effective October 1, 2015.

On February 15, 2018, licensees of the New York Department of Financial Services, including banks, insurance companies and others licensed by the New York DFS, will need to file their first annual certification of compliance with the New York DFS Cybersecurity Regulation that became effective March 1, 2017, unless exempt. The New York requirement is broader in scope, covering more companies, and imposing broader and more granular compliance requirements, than the Connecticut requirement.

On April 26, 2017, the NAIC revised its draft model cybersecurity law to incorporate many of the features of the NY DFS Cybersecurity Regulation, including a 72 hour notification requirement, but not including a requirement to file an annual compliance certificate. A hearing on the revised draft will be held on May 9, 2017.

A hearing was held on May 2, 2017 on the cybersecurity regulation proposed March 6, 2017 by the Colorado Division of Securities for broker-dealers and investment advisors. Although not as onerous or comprehensive as the New York DFS Cybersecurity Regulation, including the lack of a specific certification requirement, this development may indicate the continuation of a trend of activity to promote and require better cybersecurity across various states and industries.