Covered Entities under 23 NYCRR 500 are required to utilize qualified cybersecurity personnel as necessary to manage and mitigate cybersecurity risks and generally carry out the Cybersecurity Program.
The duties of cybersecurity personnel can be managed by an employee or a team of employees, an affiliate or outsourced to a third party. Whichever route you take, the person(s) in charge of maintaining the Cybersecurity Program must be adequately trained and informed on new cyber threats to the Covered Entity and ways to defend against them.
If you choose to outsource the maintenance of your Cybersecurity Program to a third party, it is imperative that proper diligence is conducted to ensure the third party is appropriately protecting NPI according to requirements of Section 11 of the regulation. Section 11 will be covered in detail in a future blog post.
The requirement for utilizing qualified cybersecurity personnel is incredibly brief and relatively vague. Seemingly, it is included simply to ensure that companies are taking cybersecurity practices seriously.
This requirement, set forth in Section 10, likely does not apply to you if you’re a small, independent insurance producer based on the most common exemptions. If you’re not already, get familiar with your exemptions in order to tailor your Cybersecurity Program based on what’s reasonable and required for your business.