On March 1st of this year, after six months of deliberation and a public comment period, the New York State Department of Financial Services implemented a comprehensive cyber security regulation. These regulations are the first of their kind in the United States and are being trumpeted as a roadmap for the rest of the country to follow, especially after the scare of recent ransomware attacks across the globe. Other states such as Ohio are looking to New York state for guidance as they consider their own regulations around cyber security and data breach insurance.
A Universal Business Concern
Data breaches are a concern for all businesses now, no matter the size. From large corporations like Target and Home Depot to small family owned companies with only a handful of employees — everyone is now at risk of a cyber attack. Unfortunately, it is no longer a question of if you will be attacked, but instead when.
In fact, the recent ransomware cyber attacks across Europe and Asia have shown us once again how vulnerable businesses are. A small action by an employee like inadvertently clicking on an email link could reap massive havoc for your organization. The risk of exposure is thus very difficult to control. These recent attacks make the push for more cyber security legislation even more urgent. Regulations similar to the ones in New York will be expedited across the country due to these recent attacks.
A Potentially Catastrophic Risk
The other reason why cyber attack protection is evermore being pushed, is that data breaches are often catastrophic to the victim company, especially if the company has not adequately prepared. As we saw happening with the recent attacks, medical clinics went without their client records, businesses lost access to all of their portfolio data and business contacts, and customers got very concerned. It is now essential for all businesses to take security protection measures, develop a crisis plan, and enroll in cyber liability insurance, no matter what industry they are in or how big they are.
What Exactly did New York Implement?
This high cyber attack risk across all industries is why New York state took the pioneering step of developing and implementing regulations to help guide companies in what they should be doing to protect themselves and their customers. These regulations now require all financial institutions, banks, and insurers in the state to develop and maintain a cyber security program. All businesses in New York must now do the following:
- Perform a risk or gap assessments
- Adopt a written cyber security policy
- Create a written crisis plan
- Encrypt all data
- Examine security of third party vendors, if used
- Test all systems periodically for weaknesses
- Assign a chief information security officer to report to the board twice/year
- Provide annual proof of compliance
These are the guidelines that states across the country are looking to as they consider creating their own cyber regulations.
What Does this Mean for Ohio?
There’s already discussion taking place among Ohio legislators with regard to the necessary cybersecurity standards Ohio businesses should be held to. Matt Simon, Vice President of the Ohio Insurance Agents Association and CoverLink Insurance, recently attended the board meeting of the national chapter of the National Association of Professional Insurance Agents in Washington, DC. Along with discussing these new regulations and their implications, the trip included talks with key congressmen and lawmakers.
Matt said of the recent New York regulations: “Its my belief that this law, among many others being considered in several states, will pave the way for minimum standards with regard to cyber security in all states. Ultimately, I wouldn’t be surprised to see federal regulation establishing a baseline or minimum cybersecurity protocols that all businesses must comply with.”
As a result of this law, there is also certain to be unintended consequences. For example, if businesses are now required to have their board of directors sign off on cybersecurity issues, there’s a new liability risk board members face should they fail to approve adequate measures. Will their Directors & Officers (D&O) policy provide coverage in this scenario? “That’s something we’ll have to keep a close eye on,” says Matt.
One of the other concerns that has arisen out of this regulatory discussion, is the cost these new laws will introduce to insurers. The American Association of Managing General Agents estimated that the cost of employing a chief information security officer, as required by the New York regulations, would be around $65,000 to $85,000 per year (source). These costs may end up affecting customers as well.
However, the New York law is unlikely to impact most CoverLink Insurance clients directly because most operate in Ohio. There are a few cases though, where the implications are still a bit hazy. Matt Simon noted that, “it is unclear how those businesses that collect, store, or transmit personally identifiable information (PII) will be impacted if they transmit this PII for customers living in New York.”
» Read more on: Cyber liability claims examples
As cyber security regulations begin to be implemented and their affects begin to be felt, it is smart for all businesses to keep an eye on their progression and think ahead about how these laws will change the way they do business. Regardless of the legislative implications, or the time frame involved in reaching a decision in your state, businesses would be wise to implement their own cyber security measures to minimize the risk of a breach.
Matt summed up the importance of taking cyber security protection measures along with getting data breach insurance by providing an analogy:
“No one ever expects their business to burn to the ground. Many businesses have a sprinkler system in their building, some are even constructed using fire resistive materials. If you walk into thousands of businesses, and it’s not uncommon to find a fire evacuation route displayed in every room of the building. And despite all these efforts, nearly every businesses purchases property insurance to cover its building in the event of a fire.
If it’s truly possible to prevent a fire with all the risk controls available to businesses, why have a contingency plan (evacuation route) in case there’s a fire?
And further, why purchase insurance to cover the risk of a fire when clearly so much is being done to prevent the fire?”
The fact is, these risk management techniques are great, and are absolutely necessary for businesses to implement. However, they don’t eliminate the risk of loss entirely. The same is true with cyber security. Yes, businesses need robust firewalls and anti-virus software. They need to train employees on the dangers of opening attachments from unknown senders, and how to spot phishing scams. But no amount of preparation or risk management measures can completely eliminate the risk. The backstop to any type of cyber security plan must be resources, insurance or other, that can respond when a breach occurs.
Would you like to learn more about what kinds of cyber security insurance policies are available? Contact us for a consultation.