Though most independent insurance producers are exempt from having to maintain “audit trails” under 23 NYCRR 500, we wanted to briefly cover the topic. It will be helpful for your understanding and, if it does apply, might help point you in the right direction.
In its simplest form, an audit trail is a series of records that document the detection and response of a cybersecurity event. A cybersecurity event in this particular case is one that has a reasonable likelihood of materially harming the normal operations of your business as a Covered Entity. The unfortunate reality about this requirement is that there isn’t exactly a wealth of guidance on the topic.
Our stance on such issues is simple: DOCUMENT, DOCUMENT, DOCUMENT. What do we mean by that?
In the event of a cybersecurity event and establishing your audit trail, this means documenting how the incident was detected and how you responded.
For example, having a pre-built form to record who identified the event, what system or device was impacted, the date of occurrence and any details of the event is important for documenting detection.
In terms of recording the response, detail what was done after the incident was identified. Things like, who led the response, what actions were taken on what days and at what time, notifications to regulatory authorities, consumers, law enforcement or other parties and why such actions were taken are all crucial.
Be objective about how you’ll create your audit trail. Ask yourself, “If a regulator was looking at my documented audit trail would it seem sufficiently thorough to answer their questions about the incident?” and “Would my documentation paint me and my business in a good light? Is it clear that I was sincere and diligent in responding to the event?”
If the answer to any of these questions is “no” then you need to revisit how you maintain your audit trail. Once you have something you are comfortable with, you need to retain a record of the audit trail of any cybersecurity event for five years. Remember: document, document, document.