The first ever set of regulations surrounding cybersecurity for financial services companies, including insurers, is on a bumpy road to its March 01 implementation.
The executive director of American Association of Managing General Agents (AAMGA), Bernd Heinze, said he believes the less than smooth proposal process is due to a regulator putting the cart before the horse.
“I have yet to see a single document from the DFS that says ‘this is why these prescriptive requirements are necessary’ or ‘these are the problems these regulations are going to solve’,” Heinze said.
“I’m not saying these (regulations) don’t have a purpose, it just hasn’t been explained to me what this is going to do to solve the cyber problem that exists.”
After New York’s Department of Financial Services (DFS) released its original proposal - for what could become the template for the nation’s financial cyber regulations - outrage from the industry ensued.
Over 150 public comments, written in the form of open letters, from organizations like the New York Insurance Association, New York Bankers Association and the AAMGA were directed at the DFS.
Many of the letters criticized a “cookie cutter” or a “one size fits all” approach of the DFS who didn’t hold any hearings prior to its original proposal.
Bernd Heinze suggested the National Association of Insurance Commissioners (NAIC) approach of consulting with insurers and creating a model law from those recommendations is a more logical method.
“The NAIC has entertained the ability to segment the marketplace,” Heinze said.
“Separating the cyber security requirements for a large insurance company, for a large insurance broker, a health insurer collecting private information (SINs and alike) as opposed to an independent wholesale agent or broker that may have 10 employees,” he explained.
On December 28, 2016 the DFS released a revised version quelling many previous fears surrounding the sweeping regulations.
The amended proposal has received praise for respecting segmentation of the market, using risk assessments unique to an entity, allowing more time for compliance and less stringent encryption rules.
Heinze himself described the revised regulatory scheme as “less vague”, “more reigned in” and “less prescriptive”, though he’d prefer even more specific rules for smaller players.
Heinze said he appreciates the DFS listening to the industry and changing their tune, but there’s still daylight between what he sees as a “proportional” response and what the DFS has most recently announced.
“As they say, the devil is in the details, well here the devil is in the implementation,” Heinze said.
The AAMGA’s membership is made up of independent wholesalers, agents and brokers and its main contention with how the regulations were originally rolled out was their membership being lumped together with large banks and hedge funds.
“If they were to have done it in a different way, they would have allowed the chief information officers and other IT professionals for insurance wholesalers and brokers to come in and provide advice as to what the avoidable and unavoidable consequences would be of various requirements the department believed were necessary,” Heinze said.
The amended proposal is open to another round of public comments until January 27 before going into effect on March 1.
Related stories:
PRMA reflects on the year behind and the one ahead
