The European Union (EU) General Data Protection Regulation (GDPR), the National Association of Insurance Commissioners (NAIC) Model Law and the New York State Department of Financial Services (NYDFS) Cybersecurity Act all address data privacy (the personal information of individuals) and data protection (using such personal information for business objectives), but from different perspectives. The NYDFS and NAIC regulations are focused on the technical requirements of financial services companies to assess cyber risk in their systems, implement additional security and report breaches promptly. The NYDFS regulation became effective on March 1, 2017.
New York Act: Third Party Service Providers
A Covered Entity is required to ensure the security of its information systems and any nonpublic information that is accessible to third party service providers. By March 2019, under 23 NYCRR 500.11(b), a Covered Entity must assess the risk of any third party service providers and establish the minimum cyber practices it requires. Even if a vendor itself has filed a certification of compliance with NYDFS, the Covered Entity must conduct its own due diligence. Any provider who has a foothold on the company's network is a potential vector of attack. What is the outcome if the vendor refuses to assist in complying? There will be considerable market pressure to do so.
The NY Regulation makes a limited exception for accredited and certified reinsurers. However, it appears that a Covered Entity would have to do due diligence on unauthorized reinsurers that have no accredited and certified status. Most of the large Bermuda reinsurers are now certified, and others, such as Lloyd's, have Multibeneficiary Trust accounts in New York, and they would be considered accredited.9 Of course, the level of due diligence can vary widely for different kinds of reinsurance relationships and a Covered Entity can tailor its policies regarding reinsurers, depending on whether reinsurers maintain, access or process any non-public information.
Statements concerning tax, accounting, legal or regulatory matters should be understood to be general observations based solely on our experience as reinsurance brokers and risk consultants, and may not be relied upon as tax, accounting, legal or regulatory advice, which we are not authorized to provide. All such matters should be reviewed with your own qualified advisors in these areas.
Developments in the Data Privacy Regulatory Landscape (Introduction)
Regulatory Landscape Part I: The New Privacy Order Created by GDPR
Regulatory Landscape Part II: Extra-Territorial Application of GDPR
Regulatory Landscape Part III: New York Department of Financial Services Regulation
Regulatory Landscape Part V: NAIC Model Law
Regulatory Landscape Part VI: California Consumer Privacy Law