You are here
NY regulator wants other states to model cyber laws after its rules
[DENVER] A group of US state insurance regulators should use New York's sweeping cyber security rules as a model for how insurers must protect their networks from hackers and when they must disclose cyber events, New York's financial regulator said on Sunday. "We believe the best way for industry to focus on the threat of cyber security is to have a consistent framework," said Maria Vullo, superintendent of the New York State Department of Financial Services at a meeting of the National Association of Insurance Commissioners (NAIC) in Denver.
"The New York regulation is a road map with rules of the road." Vullo made the remarks to a task force of state insurance commissioners who have been wrestling with developing a uniform cyber security law that all states can choose to adopt for insurers.
New York's cyber security rules took effect on March 1.
They followed a series of high-profile data breaches that resulted in losses of hundreds of millions of dollars to US companies, including Target Corp, Home Depot Inc and Anthem Inc.
The rules lay out steps that New York banks and insurers must take to protect their networks and customer data from hackers and disclose cyber events to state regulators.
Firms, for example, must scrutinise security at third-party vendors that provide them goods and services. They must also perform risk assessments in order to design a cyber security programme particular to them. Covered entities must annually certify compliance.
Institutions subject to the regulation include state-chartered banks, as well as foreign banks licensed to operate in the state, along with insurers that do business in New York.
The NAIC task force is about to develop its fourth draft of a proposed model cyber security law since forming in 2015.
Insurance commissioners have been unable to reach a consensus on several points, including standards for circumstances in which insurers must notify customers of a breach.
Model laws, which cover a variety of subjects, typically lead to more uniformity among states. But they first must be finalised and approved by organisations developing them before being considered by state lawmakers.
The task force is aiming to develop another draft by May 9.