March 1, 2017 marks the effective date for the first-of-their-kind cybersecurity regulations from the New York Department of Financial Services (NYDFS). The regulations, which will be phased in over a two-year period, require financial services entities (including insurance companies, agents and brokers) to create and implement a cybersecurity program that emphasizes both breach prevention and response planning.
The NYDFS regulations apply to financial services entities “operating” in New York, but the impact of the regulations will be felt far beyond New York’s borders, stretching to those entities domiciled or headquartered in other U.S. states or foreign countries that are licensed or chartered to do business in New York.
While many large financial services entities may have already implemented a cybersecurity program that satisfies many, if not all, of the NYDFS regulations, the regulations will have a significant impact on smaller and midsize financial services entities that are less likely to have implemented a robust cybersecurity program. Regardless of the size of the entity, the regulations will impact directors and officers (D&O) and cyber liability and exposure, as well as the insurance policies that provide coverage for such risk.
Due to the increased emphasis on breach prevention—particularly the requirement that financial services entities must appoint a chief information security officer (CISO) charged with certifying compliance—the NYDFS regulations raise the possibility of new, and potentially increased, cyber and D&O exposure in the event of noncompliance. These issues include:
- Increased Regulatory Exposure
The regulations grant broad enforcement authority to the NYDFS under “any applicable laws” and give discretion to the NYDFS superintendent to enforce noncompliance. However, the enforcement mechanisms remain unclear.
Specific remedies are not identified in the NYDFS regulations, but the powers granted under the New York Financial Services Law provide insight into potential exposures. Specifically, the superintendent’s authority to promulgate the NYDFS regulations are based in part on section 301 of the Financial Services Law, paragraph (c)(4), which grants the superintendent the power to refer “matters to the attorney general in the carrying out of the attorney general’s legal enforcement responsibilities for the protection of consumers of and investors in financial products and services.” In addition, paragraph (2)(C) permits the superintendent to refer complaints “of consumers of financial products and services” to “the appropriate federal, state or local agency.”
Therefore, the superintendent may monitor compliance and refer violations to New York’s attorney general to pursue enforcement actions, or otherwise refer consumer complaints to agencies for other enforcement measures. The superintendent’s authority under the NYDFS regulations are also based in part on section 408 of the Financial Services Law, which allows the superintendent under certain circumstances to impose civil penalties of up to $1,000 for specified nonfraudulent violations.
D&O and/or cyber policies may cover the expenses incurred to defend against such regulatory proceedings initiated in response to alleged noncompliance with the NYDFS regulations. Under a D&O policy, coverage will likely depend on the specific targets of the proceeding/investigation (e.g., whether it targets individuals or entities) as well as the terms and conditions of the specific policies at issue (e.g., whether a D&O policy includes a network and privacy exclusion). Cyber policies may be better positioned to respond, since many specifically contemplate coverage for regulatory proceedings. Depending on the terms and conditions of the specific policy at issue, coverage may be available for civil penalties assessed in connection with findings of noncompliance with the regulations.
- Increased Data Breach Class Action Exposure
The NYDFS regulations also may impact the liability of a financial services entity in connection with consumer class actions alleging that it was negligent in protecting sensitive or confidential information. These lawsuits may include data breach class actions by individuals whose data has been stolen. Given that the regulations are mandatory, a failure to comply could bolster plaintiffs’ negligence claims.
- Increased D&O Exposure
The NYDFS regulations may implicate traditional D&O exposure in the event of a breach. The appointment of a CISO and mandatory framework for compliance effectively bring the issue of cybersecurity to the C-suite. Failure to submit reports that accurately certify an entity’s compliance with the regulations may result in personal liability for the CISO (if there is an intent to deceive the regulator), shareholder derivative actions in the event of a data breach, or significant expenses incurred defending a regulatory proceeding. For publicly-traded entities, the CISO’s certification of compliance could be considered a public statement that forms the basis for liability under the federal securities laws.
Many financial services entities covered by the NYDFS regulations may have implemented some of the procedures and protections set forth above in response to the National Institute of Standards and Technology’s recommended Cybersecurity Framework. Smaller and midsize financial services entities (including those exempted because their workforce, revenue or assets fall below a specified threshold) may struggle to comply with the full suite of NYDFS regulations given the potential costs involved in developing and implementing the preventative measures. As a result, the NYDFS regulations’ breach prevention emphasis may cause smaller and midsize entities to rely more heavily on so-called “breach coaches” and other service providers to assist in developing and implementing procedures to meet the required post-mitigation measures. Many cyber policies typically include free consultations with breach coaches as well as access to best practices articles, white papers and other information that may serve as a resource to comply with the NYDFS regulations.
Cyber and D&O policies will be important tools for risk managers to manage the potentially increased regulatory and litigation exposure, and risk managers should consider reviewing the terms and conditions of their policies to determine whether the limits are sufficient.
This article is for general informational purposes only and is not legal advice and should not be construed as legal advice. The information in this article is descriptive only. Actual coverage is subject to the language of the policies as issued.