A group of U.S. state insurance regulators should use New York’s sweeping cyber security rules as a model for how insurers must protect their networks from hackers and when they must disclose cyber events, New York’s financial regulator said on Sunday.
“We believe the best way for industry to focus on the threat of cyber security is to have a consistent framework,” said Maria Vullo, superintendent of the New York State Department of Financial Services at a meeting of the National Association of Insurance Commissioners (NAIC) in Denver. “The New York regulation is a road map with rules of the road.”
Vullo made the remarks to a task force of state insurance commissioners who have been wrestling with developing a uniform cyber security law that all states can choose to adopt for insurers.
New York’s cyber security rules took effect on March 1.
They followed a series of high-profile data breaches that resulted in losses of hundreds of millions of dollars to U.S. companies, including Target Corp , Home Depot Inc and Anthem Inc .
The rules lay out steps that New York banks and insurers must take to protect their networks and customer data from hackers and disclose cyber events to state regulators.
Firms, for example, must scrutinize security at third-party vendors that provide them goods and services. They must also perform risk assessments in order to design a cyber security program particular to them. Covered entities must annually certify compliance.
Institutions subject to the regulation include state-chartered banks, as well as foreign banks licensed to operate in the state, along with insurers that do business in New York.
The NAIC task force is about to develop its fourth draft of a proposed model cyber security law since forming in 2015. Insurance commissioners have been unable to reach a consensus on several points, including standards for circumstances in which insurers must notify customers of a breach.
Model laws, which cover a variety of subjects, typically lead to more uniformity among states. But they first must be finalized and approved by organizations developing them before being considered by state lawmakers.
The task force is aiming to develop another draft by May 9.