In addition to concerns that the proposed rule could be overly broad, and worries about confidentiality provisions, insurance industry members are also questioning how cybersecurity rules would be applied on a state-by-state basis. At the same time, a proposed NAIC model law that the organization's Cybersecurity Task Force had hoped to finish by the end of 2016 remains in flux.
The Property Casualty Insurers Association of America in a letter to the New York Department of Financial Services said it "continues to have concerns about the significant burdens, costs and compliance difficulties which may be posed by this proposed regulation." The group said it is specifically worried about conflicts among state requirements, particularly when it comes to nondomestic companies.
PCI asserted that terms used in the proposed regulation, which was published at the end of December 2016 after a previous version failed to gain traction, can be interpreted in an overly broad manner. For example, a cybersecurity event is classified as any attempt, even an unsuccessful one, to get unauthorized access to a system, the group pointed out.
The Life Insurance Council of New York in its letter proposed that the definition of an "event" should also contain a material impact standard.
Insurance industry groups also took issue with the proposal's use of the phrase "individual or a member of the individual's family" as it concerns nonpublic electronic information. Failure to limit the scope of "family" could substantially increase the size of the covered population, as well as the cost and complexity of compliance, PCI argued.
The American Insurance Association is worried that an excessively strict reading of the proposal's audit trail provisions would create "significant demands on financial and human resources."
Insurance trade organizations are also objecting to the proposed retention period for audit logs of five years, which had already been reduced from the original proposal. The five-year retention period creates a database that will ultimately be "extremely cumbersome" to review and could actually compromise security if the logs are improperly accessed, the AIA said in its letter to the New York regulator.
How the proposal could play into events that do not impact New York residents and affect nonpublic information of individuals who are not New York residents is also drawing a worrying eye, according to the LICONY letter. Insurers' representatives are concerned that information that was intended under the proposal to be kept confidential could be subject to open records laws.
New York Department of Financial Services Superintendent Maria Vullo announced in the altered version of what the department called "first-in-the-nation" state cybersecurity regulation that the rules would go into effect March 1. In addition to governing insurers, the rules will apply to banks and other financial services institutions regulated by Vullo's office.
The NAIC's proposed insurance data security model law, which has undergone several iterations over about a year, is still subject to controversy regarding a lack of federal and state uniformity on terms such as "data breach" and "harm trigger." Stakeholders in the industry have argued for a single set of cybersecurity requirements but still have questions about how they could conflict with current state laws or how a model law might be adopted differently among states.