New York’s financial regulator had a bold claim to offer over the weekend — she claimed that other states should use New York’s sweeping cybersecurity rules as a model for how insurers must protect their networks from hackers. New York also has clear guidelines for when and how firms have to report when there are hacks.
“We believe the best way for industry to focus on the threat of cybersecurity is to have a consistent framework,” said Maria Vullo, superintendent of the New York State Department of Financial Services, at a meeting of the National Association of Insurance Commissioners (NAIC) in Denver. “The New York regulation is a road map with rules of the road.”
Vullo made the remarks to a task force of state insurance commissioners who are struggling with crafting cybersecurity regulations.
New York rules for banks and insurers include stipulations that firms must scrutinize all third-party vendors that provide them goods and services. They must also perform risk assessments in order to design a cybersecurity program particular to them.
Institutions subject to the regulation include state-chartered banks, as well as foreign banks licensed to operate in the state, along with insurers that do business in New York.
Model laws must be finalized and approved by organizations developing them before being considered by state lawmakers — though generally they are considered a good tool for creating uniformity among state regulations.