In the wake of the SolarWinds news, which we covered here, Cybersecurity and D&O insurance have been top of mind. To refresh, the SEC charged Timothy Brown, chief information security officer for SolarWinds, with fraud for withholding vulnerabilities that led to a cyber attack on at least 100 critical infrastructure firms, exposing some 18,000 companies. 

But it isn’t just the SEC paying closer attention to cybersecurity law. States are digging in, too. We wanted to highlight two related rulings coming into force in 2024.

• This past November, the New York Department of Financial Services (NYDFS) finalized changes to cybersecurity regulations in a bill passed in the spring and designed to upgrade cybersecurity practices for financial institutions and insurance companies in New York State. April 15th, 2024 marks the deadline for certification requirements, with CISO, management, and board governance rules to be implemented by November 1, 2024. 

• Washington State’s recently passed “My Health My Data” law takes effect on March 31st, 2024, and is designed to regulate the collection, sharing, and sale of consumer health information in Washington State. 

Why Should You Care? 

Heightened cybersecurity regulation can and will impact cybersecurity insurance. These new laws will affect insurance underwriting. Carriers will most likely adjust their risk assessments and premiums based on a company’s compliance with the new regulations. Non-compliance will almost certainly result in higher premiums or, in some cases, denial of coverage. Non-compliance will signal to insurers an increased risk of cybersecurity breaches, from data hacks to ransomware, phishing attacks, and other forms of cyber extortion. 

What’s In the New Rules? 

The NYDFS Cyber Rules cover a range of security enhancements, with a focus on the following:

• Executive certifications: A company’s top executive and Chief Information Security Officer (CISO) are now required to sign compliance certifications on an annual basis.

• Incident response plans: Companies will need clearly delineated response plans in place to ensure a prompt response and swift recovery from cyber attacks. 

• Business continuity plans: Entities will also need to outline a clear business continuity and disaster recovery strategy to avoid lengthy downtime in operations in the event of a cybersecurity incident.

• Risk assessments: Whenever there is a change in a company’s cyber risk, the company will be required to review and update its security risk assessment. 

• Technical controls: More stringent requirements around Multifactor Authentication (MFA) and encryption, as well as vulnerability assessments.

The Washington State My Health My Data Act adds new requirements protecting consumer health data, with a focus on: 

• Consumer consent: The Act mandates that companies gather unique consent for collecting and sharing consumer health data. Clear consent must also be separately obtained for the sale of consumer health data. Time limits have also been added to sales provisions. 

• Consumer rights: Consumer rights to their health data have been expanded, and now include the consumer’s ability to view their data, to know its intended use of the collected data, to know who the data is shared with, to retract consent for sharing, and to demand data deletion with no exceptions. Companies are given strict timelines to respond to and comply with consumer requests, and to communicate changes to involved parties. 

• Security requirements: Enhanced security requirements for the protection of data are required, and the Act restricts geofencing around healthcare facilities designed to collect data and serve healthcare-related advertisements to consumers. 

The Big Picture 

None of this comes as a surprise to anyone watching the cybersecurity space. The U.S. government has recently made cybersecurity a top priority. In March, the White House issued an executive order on Improving the Nation's Cybersecurity along with a National Cybersecurity Strategy. In June, the DOJ created a new National Security Cyber Section. In July, the SEC adopted new rules for public companies on Cybersecurity Risk Management. 

Additionally, the FTC has launched 20 privacy and security enforcement actions over the last three years with 80% of them in the last year. Similarly, the SEC has brought over 50 cyber-related enforcement actions in the last year. 

Prepare Yourself

It’s critical to get a head start on meeting the new cybersecurity regulations and ensuring that they don’t negatively impact your business insurance and cybersecurity coverage. Newfront represents 40 percent of the leading generative AI companies in the technology space, as well as 20% of U.S. unicorns. We are keenly aware of the emerging litigation landscape in the technology space, the issues involved, and how they are intimately tied to a company’s cybersecurity posture. 

To dig deeper into the laws and what it means for your business, get in touch. We’re happy to discuss potential impacts and solutions with you. The sooner the better.

Talk to an expert 

About Newfront 

Newfront is a modern brokerage transforming the risk management, business insurance, total rewards, and retirement services space through the combination of elite expertise and cutting-edge technology. Specializing in more than 20 industries and headquartered in San Francisco, Newfront has offices nationwide and is home to more than 800 employees serving organizations across the United States and globally. For more information, visit newfront.com and follow us on LinkedIn.

Sources: 

Kramer Levin. "New York Department of Financial Services Finalizes Significant Amendments to Its Cybersecurity Regulations." Kramer Levin, 9 Nov. 2023. https://bit.ly/3tRVBqM

WilmerHale. "NYDFS Finalizes Amendments to Cybersecurity Regulations." WilmerHale, 28 Nov. 2023. https://bit.ly/48q8fMZ

ReedSmith. "Implementation Underway for Washington’s New Wide-Reaching Consumer Health Data Law." ReedSmith, 22 Sept. 2023. http://bit.ly/47yWSkq