Ask PIA

Ask PIA is a members-only searchable database featuring hundreds of member questions answered by our highly-qualified technical specialists

Browse by topic

Cybersecurity

310411-00

Cyber security regulation—risk assessment

Is there a specific qualification for the risk assessor? In other words, can the owner/principal of the agency or an agency employee perform the risk assessment? Could it be our third-party informational technology professional? Does it have to be a third party? Is there a New York state-approved vendors list?

310412-00

Cyber security regulation—no agency management system

Am I required to comply with the cyber security regulation if my agency does not have an agency management system? The policies I write for carriers are done on the internet, and all the information is uploaded to the carrier’s database. There are no Social Security numbers or driver’s license numbers stored in my computer.

310415-00

Cyber security regulation—who is subject?

Who is subject to the cyber security regulation?

310416-00

Cyber security regulation—limited exemption

What is the limited exemption?

310417-00

Cyber security regulation—compliance with limited exemption

If I qualify for the limited exemption, what do I need to do?

310419-00

Cyber security regulation—where to start

To comply with the cyber security regulation, where should I start?

310420-00

Cyber security regulation—noncompliance penalty

What would the penalty be if an insurance agent or broker did not comply with the New York state cyber security regulation?

310421-00

Cyber security regulation—notices 

How should a covered entity submit cyber security event notices, compliance certifications, and exemption notices to the department?

310422-00

Cyber security regulation—covered entity

Can an entity be both a covered entity and a third-party service provider under New York’s 23 NYCRR Part 500 cyber security regulation?

310424-00

Cyber security regulation—multi-factor authentication

Are all third-party service providers required to implement multi-factor authentication and encryption when dealing with a covered entity?

310428-00

Cyber security regulation—shell corporations

I have a partner who also has an independent insurance agency. We created an insurance-licensed entity for company appointment purposes, as well as a formal means of joining us together. This entity is owned by the two of us. It has no employees, no computers, and does not transact business. Does our cyber security program (from either or both agencies) cover this?

310429-00

Cyber security regulation—third-party service providers

What are “third-party service providers”?

310430-00

Cyber security regulation—definitions

What is a “cyber security event”? What is a "cyber security incident? What is “non-public information”?

310434-00

Cyber security regulation—reportable events

When is an unsuccessful cyber security attack a reportable event?

310435-00

Cyber security regulation—encryption

Do the New York cyber security regulations require me to encrypt my email and policyholder data?

310436-00

Cyber security regulation—submitting limited exemption

What are the steps to submit my New York cyber security limited exemption online? What if I need to amend an exemption or no longer qualify for the exemption?

310437-00

Cyber security regulation—limited exemption form required for employees?

Do my licensed employees, agents, and representatives need to submit their own individual “Notice of Exemption” forms?

310463-00

Cyber security regulation—what am I exempt from?

I filed the exemption, but I can’t find anywhere what we are exempted from. What is the point of filing the exemption notice when doing so doesn’t seem to exempt us from anything?

310474-00

Cyber security regulation—retired licensee

I’m retired and no longer using my insurance license. I don’t use a computer or information system, nor do I retain any policyholder information. What do I need to do? Am I exempt?

310481-00

If I am a 1099 independent contractor, do I need to comply with New York’s cyber security regulation?

If I am a 1099 independent contractor, do I need to comply with New York’s cyber security regulation?

310482-00

Notification of data breach

I think that my computer information system was breached by a hacker. Am I required to notify my clients?

310509-00

Cyber security regulation—inactive licensee

I’m licensed but do not actively use my license. What do I need to do? Am I exempt?

310515-00

Cyber security regulation—access privileges and management

What are the responsibilities of an agency to limited user access to non-public information under 23 NYCRR 500? 

310522-00

Cyber security training: agencies with limited exemptions

I qualify for the limited exemption under 23 NYCRR 500.19 (a). Do I still need to provide annual cyber security awareness training for my employees?
310523-00

Cyber security awareness training

I recently attended a webinar about New York’s Cyber security Regulation (23 NYCRR 500). Does this webinar fulfill the cyber security awareness training requirement mandated by the regulation?

900426-00

Cyber requirements for non-resident licensees

Are nonresident N.Y. licensees subject to the new cyber requirements?

900429-00

General Data Protection Regulation compliance

I have heard that the European Union passed a cyber security regulation. Does it impact producers in the U.S.? If so, how do we comply with it?

900507-00

Multi-factor authentication

What is multi-factor authentication and why is it important?