Main Menu
Print PDF

NYDFS Cybersecurity Regulations and NAIC Model Law: What Insurers Need to Know

Cyber Law and Data Protection Alert | May 22, 2017
By: Michael Olsan, Jay Shapiro and Laura Schmidt

The cybersecurity landscape is ever-evolving and increasingly complex. As federal and state governments and other organizations try to regulate and pass legislation in the interest of protecting personal information and information technology systems, it is critical for companies and corporations to plan ahead. Partners Michael Olsan and Jay Shapiro and associate Laura Schmidt, members of our Reinsurance and Cyber Law and Data Protection Groups, recently gave a presentation to the Brokers & Reinsurance Markets Association (BRMA) about the New York Department of Financial Services (NYDFS) Cybersecurity Regulations and the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law.


    • The NYDFS Cybersecurity Regulations took effect on March 1, 2017 and require that banks, insurance companies and financial institutions regulated by the NYDFS adopt and maintain a cybersecurity program that protects customer information as well as information technology systems.
    • The Superintendent recognized that a “one size fits all” approach did not work for cybersecurity, so the NYDFS regulations allow some flexibility in creating a cybersecurity program and policy and has exceptions for smaller companies.
    • Even smaller companies that fall within the exceptions are still required to comply with certain parts of the regulation, including maintaining a cybersecurity policy, adopting a cybersecurity program, and limiting access privileges.
    • The NYDFS regulations incorporate New York’s data breach notification laws, so companies will still be required to notify consumers in the event of a data breach.
    • In addition to notifying consumers, the NYDFS regulations require companies to notify the Superintendent of certain cybersecurity events.
    • Even though the NYDFS regulations incorporate rolling deadlines, companies should begin preparing now to meet the deadlines for compliance with these complicated regulations.


    • The NAIC Model Law has gone through multiple revisions, but the most recent version closely tracks the NYDFS regulation. The drafting committee for the Model Law has noted that the committee’s goal is that if a company is compliant with NYDFS, then it should be considered compliant under the Model Law.
    • The most recent draft was released by the NAIC at the end of April. Once finalized and adopted by states, the Model Law will apply to all "Licensees," defined as any person or entity licensed, authorized to operate, or registered, or required to be licensed, authorized to operate or registered pursuant to state insurance laws.
    • Unlike the NYDFS regulations, the NAIC Model Law explicitly recognizes that a company’s Board of Directors is ultimately responsible for the company’s cybersecurity program.
    • The NAIC Model Law, unlike the NYDFS regulations, provides specific notification requirements to ceding insurers (as a result of a reinsurer's cybersecurity event) and producers of record.
    • In the event of a cybersecurity event, the Model Law requires Licensees to hand over extensive information to insurance commissioners, who have the power to take action to enforce provisions of the Act.
    • The Model Law provides confidentiality protections so that such private information turned over to an Insurance Commissioner is protected from Freedom of Information, Open Records, Sunshine or other appropriate laws.

Even if insurance companies, reinsurers, brokers and producers do not fall within the scope of the NYDFS regulations, they should expect that additional cybersecurity regulations and legislation specifically targeting the insurance industry will be implemented in the near future. Companies in the insurance industry should take the time now to start crafting and implementing a cybersecurity program and policy.

If you have questions or would like additional information or guidance crafting your cybersecurity policy, please contact Jay Shapiro (; 212.714.3063) or Laura Schmidt (; 215.864.6333).

This correspondence should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult a lawyer concerning your own situation and legal questions.
Back to Page