I’ve spent a great deal of time digging into cybersecurity policies over the years. I’ve seen the good, the bad and the ugly. In fact, back in the day, my first job out of college involved helping one of the largest banks in the United States develop its very first Cybersecurity Policy and Incident Response Plan (as it turns out, auditors have a way of prompting action on this kind of thing!).
For most insurance producers, though, cybersecurity policies are a foreign concept. And rightfully so. Your job is first and foremost selling insurance, not protecting the world from cybercrime.
So today, we are talking high-level about the concept of a Cybersecurity Policy. What it is, and what is required under New York’s 23 NYCRR 500.
A Cybersecurity Policy is really no more than a document that outlines how an organization protects important information, such as customer data, financial information, Social Security Numbers and so forth. In the world of financial services and in 23 NYCRR 500, this important data is referred to as Nonpublic Information, or NPI.
Specifically, a Cybersecurity Policy covers how the company protects the confidentiality, integrity and availability (the “CIA”) of Nonpublic Information. Confidentiality is about making sure that only the right people can see or access the data. Integrity is about making sure the data is accurate, up to date and complete. And availability is about making sure that the right people can access the data whenever necessary.
A good Cybersecurity Policy will address several topics that may include:
- Data classification. What is the most sensitive type of data? What types of data or NPI require the most and the least protection?
- Access controls. Who is allowed to access Nonpublic Information? Are there password complexity requirements in place to prevent the wrong people from accessing certain data?
- Physical security. What types of controls are in place to prevent physical access to data or information systems? Locks? Alarm systems? Cameras?
- Risk assessment. How does the company evaluate its internal cybersecurity risk?
This list could go on and on. Some companies will need to address their internal process for software development. Others will outline their business continuity plan in the event of an interruption to normal operations. Every business needs to think about what its own potential risks to NPI are and be sure to address it in the Cybersecurity Policy. With few exceptions, 23 NYCRR 500 requires it.