By Stephen M. Soble
Originally published in September 25, 2017 Issue of Insurance Advocate
By now, we should all be aware of the sweeping cybersecurity compliance regulations passed by the NYS Department of Financial Services, which is “designed to assess the effectiveness” of a wide array of Covered Entities. Broadly speaking, these entities include banking, insurance, financial advisory and financial management companies operating in NYS, satisfying some minimal footprint definitions (10 or more employees or $5 Million in NYS based revenue or $10 Million or more in global turnover). The risks of non-compliance are stern—fines, potential criminal penalties, injury to reputation, loss of reputation and clients, not to mention public ridicule. DFS and the NYS Attorney General will strive to set a few examples to stimulate voluntary compliance—classic new regulatory adoption planning. It is interesting to note that insurance policies which cover certain types of negligence, errors and omissions, may find that the documentation and compliance requirements actually serve to mitigate the scope of coverage in the event of a data breach. However, it will take a few real-world cases and some deeper legal analysis to see precisely how this plays out.