The Changing Face of Cyber Security Risk and Regulation

Thursday, March 23, 2017Time: 2pm – 3pm

For your convenience, you may download today’s presentation, Index of Topics, and Glossary of Key Terms from theResource List widget in the lower right section of your console before the event begins. A Housekeeping video will showat before today’s presenters begin. If listening with computer speakers please follow along with the audio. If listening byphone, please follow along with the instructional slides. If you experience any issues with slide advancement, hit F5 forPCs or CMD R for Macs.

Page 2

Welcome and Housekeeping

• Welcome• Chris Mason – Producer, e-Learning Committee

• Housekeeping Video• Conference Video

Page 3

Session Overview

Cyber security is at the forefront of everyone’s minds. With more digital and so-called “Insurtech” initiatives comes more pressure to keep customers’ information safe.

The magnitude / likelihood of data breaches involving insurance companies has led to significant regulatory inquiries and reputational damage. Governmental bodies have been creating regulations to crack down on these breaches and ensure that companies have cyber security programs in place.

• Welcome our Moderator and Panelists:– Jerry Ravi – Moderator (Internal Audit and Risk Consultant)

• Partner, EisnerAmper LLP• IASA Metro NY/NJ Chapter President

– Venkat Rao – Panel Member (Global Regulatory / Compliance Consultant)• Director, EisnerAmper LLP

– Jack. Hewitt (Regulatory / Legal Expert)• Partner, Pastore & Dailey LLC

Page 4

• Identify the six key aspects of the cybersecurity threat andregulatory landscape.

• Recognize key components surrounding the newly adoptedNew York State Department of Financial Services (NYSDFS) cybersecurity regulations

• Recognize how insurers have implemented risk-based,cyber security programs and solutions designed to properlymanage and monitor cybersecurity threats, and to addressthe NYS DFS regulations.

Session Objectives

Page 5

Overview of Topics (in order from top down, left to right columns)

Always on your mind Key FINRA Enforcement Case Risk Assessment -500.09

The Data Model is Changing Key Areas of Focus for Insurers and Financial Institutions

Access Policy

Emerging Preventative Technologies NYDFA Cyber Security Rules and Regulations

Data Loss Protection Policy

Adjusting at a Slow Rate Summary of NYS DFS Rules Third Party Service Providers – Vendors –Sect. 500.11

Rising Costs of Insecurity Cybersecurity Definitions – Non-publicInformation-500.01 (g)

Training – 500.14

12 Common Reasons for Data Breaches New York State Information Security Breach and Notification Act

Incidence Response Plans – 500.16

Two Factors Account for Most Theft and Loss

Cybersecurity Program - Sect. 500.02 Notices – 500.17

Evolution of Cybersecurity Regulation Cybersecurity Policy – Sect. 500.03 Exemptions

What is the Main Regulatory Framework Information Security Program Key Takeaways

Framework for Improving Cybersecurity Cybersecurity Sources Key Insurance Industry Themes

Sample NIST Risk Assessment – Heat Map Chief Information Security Officer (CISO) –Sect. 500.04

Perform a Continuous Assessment

Key SEC Enforcement Cases Governance Policy Preventative Measures

Page 6

Today’s Speakers

Jerry Ravi, Partner, EisnerAmper LLP

Jerry Ravi is a Partner in the Consulting Services Group. Jerry has over 15 years of business advisory andaudit experience, with a unique ability to bring clarity and forward movement to the decision-makingprocess. Combining advisory, facilitation and coaching, his work results in positive and sustainablebusiness growth and risk management programs. Jerry helps clients translate complex challenges andregulatory requirements into sound strategies, providing the catalyst for change and the capacity to takeaction.

Jerry partners with management, audit executives and board members to effectively manage and monitorrisks facing their organizations. Through the role of internal auditor, compliance and enterprise riskspecialist, he provides value-added assurance and consulting services. Jerry’s credo is to protect value andenhance outcomes and performance through practical and cost-effective solutions, including thecoordination and utilization of people, process and technology.

Jerry’s primary focus has been on managing Enterprise Risk Management (ERM) and internal audit andcompliance engagements, which entails assisting and educating clients in designing an enterprise-wide riskmanagement program. This includes deploying risk-based internal audit plans to enhance governanceprocesses and monitor ongoing compliance with key controls in key risk areas.

Jerry serves clients in a variety of highly regulated industries, maintaining a focus on the financial servicessector where he helps companies address financial, operational, technology and regulatory risk and assistswith operational excellence to overcome market and regulatory challenges.

Page 7

Today’s Speakers

Venkat, Rao, Director, EisnerAmper LLPVenkat Rao is a Director with EisnerAmper’s Global Compliance and Regulatory Solutions. He has nearly15 years of experience working with hedge funds, private equity funds, commodity pool operators,registered investment advisors, broker-dealers, investment banks, and insurance companies.

Venkat provides value added solutions to enhance compliance programs, such as creating compliancemanuals and anti-money laundering (“AML”) procedures, performing mock regulatory examinations, andconducting risk assessments and annual reviews. He has conducted AML risk assessments pursuant torequirements under the Bank Secrecy Act, and tested compliance with a firm’s AML program to identifydeficiencies. Venkat also advises clients on the latest regulatory developments from the SEC and CFTC.

Venkat has worked extensively with various members of large and small organizations in addressingregulatory needs, including cybersecurity matters. He has overseen compliance departments, includingAML compliance programs, and created, developed and tested policies and procedures in advance of andpreparation for regulatory exams.

Prior to joining the firm, Venkat was a Chief Compliance Officer for broker-dealers and investment advisorsof hedge funds and private equity funds. Venkat headed the examination program for registered investmentadvisors and broker-dealers for a global professional services firm. In addition, he served as a risk andregulatory consultant in a Big Four accounting firm’s Advisory Services Practice, and advised manyfinancial institutions of various sizes.

Page 8

Today’s Speakers

John R. (“Jack”) Hewitt, Partner, Pastore & Dailey LLC

John R. ("Jack") Hewitt is a securities lawyer and focuses his practice on securities litigation and regulatoryadvice and counsel to broker-dealers, investment banks and investment advisers. His work involvesvirtually every aspect of the federal and state securities laws, including equity, fixed income and derivativestrading, net capital, short-selling, suitability, record retention, insider trading, cybersecurity and registrationissues.Cybersecurity is a major part of Mr. Hewitt’s practice, and he is a recognized national authority in this field.Among other things, he advises firms on their development of information security programs, guides themthrough cyber incidents and represents them in any resultant regulatory inquiry. Mr. Hewitt regularlyconducts cybersecurity audits for broker-dealers and investment advisers, and was the SEC appointedindependent outside consultant in the first major SEC cybersecurity enforcement action, In the Matter ofLPL Financial Corp., Respondent Admin. Proc. File No. 3-13181 (2008).

Mr. Hewitt has written extensively on the regulation of electronic technology in the securities markets,including a series of articles for the New York Law Journal, and has chaired and spoken at numerousseminars on it. Mr. Hewitt is the author of Cybersecurity in the Federal Securities Markets, a BloombergBNA treatise, and is the editor and author of Securities Practice & Electronic Technology, an ALMpublication. He is also the author of the Record Keeping and Advertising Chapters of the PLI Broker-DealerRegulation treatise.

Mr. Hewitt is currently the Co-Chair of the American Bar Association, Business Section Subcommittee onCybersecurity. He is a recipient of the Compliance Reporter Compliance Person of the Year award for hiswork in electronic technology regulation, was a participant in the Securities and Exchange Commission’sroundtable discussions on internet issues and is listed on the International Who’s Who of e-Commercelawyers.

Page 9

It’s an evolving threat

Digital initiatives, greater connectivity, greater risk

Balancing cybersecurity with profitability

Always on your mind?

AN ONCE OF PREVENTION IS WORTH A POUND OF CURE

Page 10

THE DATA MODEL IS CHANGING…

Page 11

Emerging Preventative Technologies

There are a number of emerging technologies being introduced into commercial markets and the insurance industry, some are restructuring many industries:

– Blockchain Technology– Mobile Micro-insurance– Wearables– Smart Contracts– Commercial Drone Usage

According to a study produced by Accenture, only 0.2% of annual premiums were spent by insurance companies on digital initiatives.

Page 12

Adjusting at a Slow Rate

• The level of investments and projects regarding blockchain are relatively low in the insurance industry at 3% participation

• 75% of World’s leading financial institutions have partnered seeking to create a ledger system based on blockchaintechnology

• 87% of insurance respondents say we have entered an era that is marked by exponential rate of change

Page 13

Rising Costs of Insecurity

13

Source: 2016 Cost of Data Breach Study: Global Analysis, Ponemon Institute

• The average consolidated total cost of a data breach is $4 million.

• The cost incurred for each lost or stolen record containing sensitive and confidential information increased from a consolidated average of $154 to $158.

• In addition to cost data, the likelihood of a material data breach involving 10,000 lost or stolen records in the next 24 months is estimated to by 26 percent.

Page 14

1. Loss or theft of data is up sharply

2. Insider Negligence is the number one internal threat

3. Ransomware and phishing attacks are a growing threat

4. Employees’ jobs require them to access more proprietary data

5. Companies need to track employees’ access to confidential data

6. Progress in combating these threats is not being encouraged

12 Common Reasons for Data Breaches

According to the new

Ponemon Institute study,

“Closing Security Gaps to

Protect Corporate Data: A

Study of US and European

Organizations,” 76 percent of

organizations experienced the

loss or theft of data last year.

Page 15

7. Many organizations have no searchable records of file system activity

8. Companies are slow to detect unauthorized file access

9. End users are not deleting files, thus exacerbating vulnerability

10. Moving to the cloud is happening much more slowly than expected

11. Two troubling factors account for most data theft and loss (to be discussed)

12. Too many companies aren’t taking security seriously enough

12 Common Reasons (continued)

The study looks into the most

common and detrimental

factors behind those incidents,

and briefly touches upon ways

in which these harmful data

breaches could be avoided,

treated, or act as lessons that

can be learned from.

Page 16

The continuing increase in data loss and theft is due in large part to two troubling factors:

– Compromises in Insider Accounts- Exacerbated by far wider employee and third-party access to sensitive information than is necessary.

– Failure to monitor- Access and activity around email and file systems is not monitored as thoroughly, where most confidential and sensitive data moves and lives.

Two Factors Account for Most Theft and Loss

Page 17

REGULATORY LANDSCAPE

Venkat RaoDirector, EisnerAmper LLP

Page 18

April 2014, SEC issued first Risk Alert announcing cyber security initiative for broker-dealers and investment advisers.

2016, FinCEN issues FAQs related for cyber-SARs.

March 2017, NYS DFS new cybersecurity rules for covered financial institutions take effect.

Key Themes From Cybersecurity Regulatory InitiativesGovernance and Risk Assessments

• Regulators expect firms to perform risk assessments to understand the cyber threats to their organization, and involve board and senior management cyber risk discussions.

Safeguard Customer Data • SEC registrants are required to follow Regulation S-P of the Securities Act, mandating protection of customer data

Breach Reporting • In the event of a cyber breach, many states required reporting of breaches to state regulators. With many public incidents, firms may also be required to notify customers if their information has been compromised.

Periodic Testing• Penetration and vulnerability tests are examples of probing the effectiveness of firm’s information security system. To

meet key regulatory requirements, firms are expected to periodically conduct such tests, either internally or through third parties.

Potential AML Implications • Certain incidents that involve cyber crimes may trigger SARs filing requirements. Financial institutions will be expected to include cyber-related information and identifiers when filing such SRAs.

Training • Employee conduct (intentional or unintentional) tends to expose firms to cyber threats. Training and table top exercises can mitigate this threat.

February 2015, FINRA issues its report on cybersecurity practices.April 2015, NAIC adopts cybersecurity principles.August 2015, NFA adopts compliance rules around information security systems. September 2015, SEC issues Risk Alert identifying areas of examination focus related to cybersecurity.

2000-2013, Passage GLB, enactment and enforcement of Regulation S-P.

Evolution of Cybersecurity RegulationRegulators initially addressed cybersecurity through risk alerts, guidance and examinations. More recently, regulators have issued formal cybersecurity rules for financial services firms

Page 19

What is the main regulatory framework?

• The National Institute of Standards and Technology (NIST) provides a cybersecurity framework adopted by much of the financial services industry and the Securities and Exchange Commission (“SEC”). The NIST Framework consists of 3 parts:

– Framework Core – set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors.

– Framework Implementation Tiers - the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework (e.g., risk and threat aware, repeatable, and adaptive)

– Framework Profile - the outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories.• Distancing the money from

its criminal source• Designed to create

confusion (most difficult stage to detect)

Page 20

Framework for Improving Cybersecurity

Page 21

Sample NIST Risk Assessment - Heat Map

• Create a short and longer term action plan based on overall risk score

High Medium Low

High 2 2 0

Medium 4 17 9

Low 2 25 37

Impact Score

Liki

hood

Sco

re

Function Overall Risk Score

Count

High 2Medium 9

Low 13High 3

Medium 4Low 28High 1

Medium 0Low 17High 0

Medium 2Low 13High 2

Medium 4Low 0

DETECT (DE)

RESPOND (RS)

RECOVER (RC)

IDENTIFY (ID)

PROTECT (PR)

Page 22

R.T. Jones: In September 2015, the St. Louis-based investment adviser settled charges with the SEC that it failed to establish the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information (“PII”) of approximately 100,000 individuals, including thousands of the firm’s clients. According to the SEC’s order*:- The Firm stored sensitive PII of clients and others on its third party-hosted web for nearly 4 years; - During this time, the firm’s web server was attacked by an unknown hacker who gained access and copy

rights to the data on the server, rendering the PII of more than 100,000 individuals, including thousands of R.T. Jones’s clients, vulnerable to theft;

- The firm failed entirely to adopt written policies and procedures reasonably designed to safeguard customer information. For example, R.T. Jones failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server, or maintain a response plan for cybersecurity incidents;

- After R.T. Jones discovered the breach, the firm promptly retained more than one cybersecurity consulting firm to confirm the attack, which was traced to China, and determine the scope; and

- Shortly after the incident, R.T. Jones provided notice of the breach to every individual whose PII may have been compromised and offered free identity theft monitoring through a third-party provider.

KEY TAKEAWAY: Policies and procedures must be reasonably designed and effectively implemented to protect customer data, and effective remediation measures must be in place in the event of a breach.

Based on the foregoing facts, the SEC found that the firm violated Rule 30(a) of Regulation S-P of the Securities Act of 1933 for failing to adopt written policies and procedures to safeguard customer data.* In the Matter of R.T. Jones Capital Equities Management, Inc., SEC Release No. 4204, September 22, 2015.

Key SEC Enforcement Cases

Page 23

Morgan Stanley: In June 2016, Morgan Stanley Smith Barney LLC agreed to pay a $1 million penalty to settle charges related to its failures to protect customer information, some of which was hacked and offered for sale online. According to the SEC’s order*:- Morgan Stanley’s policies and procedures were not reasonably designed to protect customer records

and information; two (2) internal web portals allowed its employees to access customers’ confidential account information;

- For these portals, Morgan Stanley did not have effective authorization modules for more than 10 years to restrict employees’ access to customer data based on each employee’s legitimate business need;

- Morgan Stanley also did not audit or test the relevant authorization modules, nor did it monitor or analyze employees’ access to and use of the portals.

- Consequently, a previous employee downloaded and transferred confidential data to his personal server at home between 2011 and 2014.

- A likely third-party hack of the employee’s personal server resulted in portions of the confidential data being posted on the Internet with offers to sell larger quantities.

KEY TAKEAWAY: Firms must review policies and procedures around authorization of employee access to confidential customer data, and periodically review and test such authorization.

Based on the foregoing facts, the SEC found that the firm violated Rule 30(a) of Regulation S-P of the Securities Act of 1933 for failing to adopt written policies and procedures to safeguard customer data.

* In the Matter of Morgan Stanley Smith Barney LLC, SEC Release No. 78021, June 8, 2016.

Key SEC Enforcement Cases (cont’d)

Page 24

Sterne Agee & Leach, Inc.: In May 2015, the Alabama-based self-clearing broker-dealer was censured and fined $225,000 for failing to protect confidential information and maintain adequate written compliance and supervisory procedures. According to the FINRA Action:- The firm placed personal and confidential information of more than 350,000 customers was placed at risk when

“an Information Technology employee inadvertently left an unencrypted laptop in a restroom and it was lost”- FINRA cited Regulatory Notice 05-49 which provides guidance regarding safeguarding confidential customer

information and “whether the member's existing policies and procedures adequately address the technology currently in use," and "whether the member has taken appropriate technological precautions to protect customer information.“

- The firm purchased encryption software, but failed to fully implement the encryption solution by not allocating sufficient funds.

- Sterne Agee failed to adopt written supervisory procedures to insure the security of customer information of sensitive customer information.

KEY TAKEAWAY: Firms must fully implement policies and procedures to safeguard customer data, and not delay allocation of funding for such critical resources.

Based on the foregoing facts, FINRA found that the firm violated Rule 30(a) of Regulation S-P of the Securities Exchange Act of 1934, NASD Conduct Rule 3010, and FINRA Rule 2010 for failing to adopt adequate written policies and procedures to safeguard customer data.

* Sterne Agee & Leach, Inc., FINRA Letter of Acceptance, Waiver and Consent No. 2014041619501, May 22, 2015.

Key FINRA Enforcement Case

Page 25

Key Areas of Focus for Insurers and Financial Institutions:

Governance and Risk Assessment• Evaluate cybersecurity

risks and level of communication

Access Rights and Controls• How firms control onsite

and offsite access to systems and data

Data Loss Prevention• How firms monitor

outbound communication and data transferred

Vendor Management• How firms conduct level of

due diligence to conduct on a vendor

Employee Training• How firms train

employees and third party vendors

Incident Response• Whether firms have

established proper protocols

Its imperative to develop policies and procedures for all focus areas, including:

Page 26

NYDFS CYBER SECURITY RULES AND REGULATIONS

Jack HewittPartner, Pastore & Dailey LLC

Page 27

Summary of NYS DFS Rules

Information Security is at the forefront of everyone’s minds. Breaches across multiple industries with major corporations being involved have caused NYS DFS to update their cyber security regulations.

New Regulations will include:• A risk assessment will be included to allow organizations to evaluate

and categorize risks and threats, as well how to mitigate these risks.• Designating a Chief Information Security Officer (CISO) for

overseeing and implementing the cyber security program.• Conducting annual penetration tests based on relevant risks.• Maintaining systems that are able to reconstruct material financial

transactions and retaining those records for a minimum of five years.• Designing policies and procedures for management of third party

service providers based on the risk assessment of the covered entity.

27

Page 28

Cybersecurity Definitions – Non-public Information – 500.01(g)

Business related information of a Covered Entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the Covered Entity.

Page 29

Cybersecurity Definitions – Non-public Information – 500.01(g)

Any information which because of name, number, personal mark, or other identifier can be used to identify an individual, combined with: (i) social security number (ii) drivers’ license number or non-driver identification card number(iii) account number, credit or debit card number(iv) any security code, access code or password permitting access to a financial account; or (v) biometric records.

Page 30

Rule 500.01(g) is very similar to the Definition of Personally Identifiable Information in the New York State Information Security Breach And Notification Act

https://ag.ny.gov/internet/data-breach

New York State Information Security Breach and Notification Act

Page 31

Cybersecurity Program - Sect. 500.02

Shall be designed to: 1) Identify and assess internal and external cybersecurity risks;

2) Use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity’s Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts;

3) Detect Cybersecurity Events;

4) Respond to identified or detected Cybersecurity Events to mitigate any negative effects;

5) Recover from Cybersecurity Events and restore normal operations and services; and

6) Fulfill applicable regulatory reporting obligations.

Page 32

Cybersecurity Policy – Sect. 500.03

Covered Entities are required to implement and maintain a written policy that address the following:1) Information security;

2) Data governance and classification;

3) Asset inventory and device management (Risk Assessment -500.09);

4) Access controls and identity management (Access Privileges -500.07);

5) Business continuity and disaster recovery planning and resources;

6) Systems operations and availability concerns;

Page 33

Cybersecurity Policy – Sect. 500.03

7) Systems and network security;

8) Systems and network monitoring;

9) Systems and application development and quality assurance;

10) Physical security and environmental controls;

11) Customer data privacy;

12) Vendor and Third Party Service Provider (TPSP) management (Third Party Service Provider Security Policy - 500.11);

13) Risk assessment (Risk Assessment - 500.09); and

14) Incident response (Incident Response Plan - 500.16).

Page 34

34

Properly structured ISP should address the following cybersecurity requirements:

• Governance

• Risk Assessment

• Access Rights and Control

• Data Loss Prevention

• Vendor Management

• Training

• Incident Response

Information Security Program

Page 35

Cybersecurity Sources

• NIST – Framework for Improving Critical Infrastructure Cybersecurity (Vers. 1.0,2014)

• FINRA Report on Cybersecurity Practices(February 2015)

• SEC National Exam Program Risk Alert, 2015 Cybersecurity Examination Initiative, Vol. IV, Issue 8 (Sept. 15, 2015).

• Cybersecurity in the Federal Securities Markets, 383 Securities Practice Portfolio Series (BNA) (2016)

Page 36

Chief Information Security Officer (CISO) – Sect. 500.04

Qualified individual responsible for developing, overseeing and implementing the Governance Policy.CE may use a Third Party Service Provider to address this obligation but retains responsibility.Must file an Annual Report with the Board on cybersecurity status of firm.

Page 37

Governance Policy

FINRA Cybersecurity Practices Report:• Development of an internal cybersecurity governance framework appropriate to the organization’s size and business.

• Originating at and directed by the Board and senior management.

• It should specify the departments and firm officers responsible for cybersecurity-related matters, their roles and responsibilities and their position within the firm’s organization.

• Regular CISO briefings of the Board and senior management.

Page 38

Risk Assessment – 500.09

Initial and periodic risk assessment of information systems to allow for design, implementation and revision of ISP.

NIST Framework provides that a risk assessment should:• identify and document asset vulnerabilities;• review threat and vulnerability information from information

sharing forums and sources;• identify and document internal and external threats;• identify potential business impacts and likelihoods;• use threats, vulnerabilities, likelihoods and impacts to

determine risk; and• identify and prioritize risk responses.

Page 39

Access Policy

• Pre-employment Procedure• Employee Access Procedure

– Principle of Least Privilege– Separation of Duties

• Access Modification and Revocation• Access Lists, Monitoring and Annual Recertification

• Password Policy• Employee Termination Procedure (24hrs)• Employee Security Training

Page 40

Data Loss Protection Policy

Protect a firm's confidential and sensitive data through a defense-in-depth strategy, i.e. the layering of multiple independent security controls strategically throughout their information technology systems:• Firewalls and new Firewalls• Intrusion Detection Systems• Intrusion Protection Systems • Monitoring and Auditing Devices • Encryption

Page 41

Third Party Service Providers – Vendors -Sect. 500.11

Each Covered Entity shall implement TPSP written policies and procedures based on its Risk Assessment and shall address:• the identification and risk assessment of TPSP;• minimum cybersecurity practices required to be met;

• due diligence processes; and• periodic assessment.

FINRA Cybersecurity Study – Vendor Management Section

Page 42

Training – 500.14

Covered entities should provide for regular cybersecurity awareness training for all personnel that is updated to reflect its current risks.

The FINRA Cybersecurity Practices Report lists the following as key topics for a firm's training program:• Recognizing Risks• Social Engineering Schemes and Phishing• Handling Confidential Information• Password Protection• Escalation Policies• Physical Security• Mobile Security• Application Security• Emerging Technology Issues• Software Vulnerabilities

Page 43

Incident Response Plans – 500.16

Designed to promptly respond to, and recover from, any Cybersecurity Event

Incident response plans should address:(1) The internal processes for responding to a Cybersecurity Event;(2) Definitive goals;(3) Clear roles, responsibilities and levels of decision-making authority;(4) External and internal communications and information sharing;(5) Remediation of any identified ISP weaknesses;(6) Documentation and reporting r Cybersecurity Events and related incident response activities; and(7) Evaluation and revision of the incident response plan following a Cybersecurity Event.

Page 44

Notices – 500.17

Event NotificationNotify the superintendent as promptly as possible but in no event later than 72 hours from a determination of a: • Cybersecurity Event of which notice is required to be provided to any

government body, self-regulatory agency or any other supervisory body; and

• Cybersecurity Event that has a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.

Annual Statement• Commencing February 15, 2018, covered entities will be required to

annually prepare and submit to the superintendent a Certification of Compliance with NYS DFS Cybersecurity Regulations.

Document requirements for material improvement, updating or redesign.

Page 45

Exemptions

• Exemptions include those with: – Fewer than 10 employees including any independent contractors.– Less than $5,000,000 in gross annual revenue in each of the last

three fiscal years.– Less than $10,000,000 in year-end total assets, calculated in

accordance with generally accepted accounting principles, including assets of all affiliates.

• An entity that qualifies for an exemption must file a “Notice of Exemption.” In the event that an entity, as of its most recent fiscal year-end, ceases to qualify for an exemption, it shall have 180 days from such fiscal year-end to comply with applicable requirements.

Page 46

KEY TAKAWAYS

Enhance Cyber Awareness

Be Proactive (Defense / Offense)

Identify & Monitor Risks

Enhance Your BusinessProtect Your Brand

Page 47

Key Insurance Industry Themes

Information Security and Risk Needs to be a Top Priority

• Carriers must be cognizant and vigilant of the risk to their entire infrastructure • New services, market opportunities, and creative mobility solutions are creating

challenges to stay ahead• Damage to insurer’s reputation was biggest concern among executives, employees,

and customers

You Never Know Which Next Big Idea Will Stick (EMERGING TECHNOLOGIES)

• Insurance technology startups are increasing at a rapid rate, but an estimated 9 out of 10 will fail

• Companies that will prosper are very likely to include some that transform the industry• Opportunities for investing, partnering, or learning lessons from these companies

should be considered in strategic planning initiatives

Page 48

Perform a Continuous Risk Assessment

Cyber Security Risk Assessment

48

Page 49

• There are a number of ways in which loss or theft of data can be prevented and avoided:Look beyond IT security when assessing your company's data breach

risksEstablish a comprehensive data loss protection plan Educate employees about appropriate handling and protection of

sensitive dataConduct a periodic risk assessmentProvide training and technical support to mobile workersDon’t rely on encryption as your only method of defenseKeep current with security software updates or patchesHold vendors and partners to the same standards

Preventative Measures

Page 50

CLOSING REMARKS

Page 51

CONTACT INFORMATION

Jerry Ravi Partner, Consulting Services Group EisnerAmper LLP (732) 770-3519 jerry.ravi@eisneramper.com

Venkat RaoDirector, Global Compliance & Regulatory SolutionsEisnerAmper LLP

(347) 735-4761 venkat.rao@eisneramper.com

John R. (“JACK”) Hewitt PartnerPastore & Dailey LLC (646) 549-9551 JHewitt@psdlaw.net

IASA Metro NY/NJ CHAPTER

Page 52

Upcoming Webinars

• See the e-learning landing page at www.iasa.org/e-learning for more information.(All times are 2:00pm EDT/EST unless otherwise noted)

• May 2 – 2017 NAIC Spring Meeting Review• May 9 – Economic Outlook 2017

• Today’s presentation will be archived on the IASA website at www.iasa.org/e-learning and will be available tomorrow afternoon.

Archived webinars:• February 21: The War for Talent: How to Engage and Retain• January 24: The Life Insurance Industry: A Solution Provider Overview• January 12: 2016 NAIC Fall Meeting Review

• IASA’s 5th Edition Life/Accident/Health Textbook is now available in both eBook and Print! Visit www.iasa.org/publications for details!

Page 53

Thank you for joining us!Thank you for joining us!We are interested in your thoughts about this presentation and topics you may want to see covered in the future.

REMEMBER: Please use the SURVEY and TEST widgets to complete your “Survey” and “Request for CPE” to validate your requirements for CPE credit and then print your certificate using the CERTIFICATION widget at the bottom of your console before exiting today’s event.

All three widgets are required to meet your requirements for CPE. Again, we appreciate your attention as we evolve the process to meet your educational needs. The console will remain open for 30 minutes following the event to allow time to complete these requirements. You will also be able to complete these requirements within 24 hours if additional time is needed to complete your survey, test or print your certificate.

If you have difficulty viewing the archived presentation, or would like further information about this and future topics to be covered, please contact:

Tricia StillmanAVP – Membership and Marketing – IASA tstillman@iasa.org 984-244-7039