There has been a lot of commentary on New YorkaEUR(TM)s new regulation entitled Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) (the Regulation) which went into effect on March 1, 2017. On March 16, 2017, The Excess Line Association of New York (ELANY) released Bulletin 2017-12 which contains some practical guidance for insurance producers that will face some aEURoeunique situationsaEUR? not addressed in the other commentary.
Specifically, the bulletin refers to insurance producers that aEURoemay not meet the technical definition of a aEUR~Third Party Service Provider.aEUR(TM)aEUR? However, if that producer exchanges aEURoeNonpublic InformationaEUR? with a New York licensed insurer, aEURoeit is probableaEUR? that those insurers aEURoewill treat them as aEUR~Third Party Service Providers.aEUR(TM)aEUR?
ELANYaEUR(TM)s first comment with respect to these insurance producers that are treated as aEURoeThird Party Service ProvidersaEUR? is:
If treated as aEURoeThird Party Service Providers,aEUR? all insurance producers doing business with a number of aEURoecovered entityaEUR? insurance companies will be required to implement separate and various cybersecurity requirements adopted by each insurer subject to the regulation. Insurance producers might find it difficult to simultaneously coordinate and meet the requirements of the aEURoecovered entityaEUR? insurance companyaEUR(TM)s mandates with the insurance producers own cybersecurity plan within the timeframes required by the regulation.
ELANYaEUR(TM)s remaining comments are located
here.