| DENVER, April 9
DENVER, April 9 A group of U.S. state insurance
regulators should use New York's sweeping cyber security rules
as a model for how insurers must protect their networks from
hackers and when they must disclose cyber events, New York's
financial regulator said on Sunday.
"We believe the best way for industry to focus on the threat
of cyber security is to have a consistent framework," said Maria
Vullo, superintendent of the New York State Department of
Financial Services at a meeting of the National Association of
Insurance Commissioners (NAIC) in Denver. "The New York
regulation is a road map with rules of the road."
Vullo made the remarks to a task force of state insurance
commissioners who have been wrestling with developing a uniform
cyber security law that all states can choose to adopt for
New York's cyber security rules took effect on March 1.
They followed a series of high-profile data breaches that
resulted in losses of hundreds of millions of dollars to U.S.
companies, including Target Corp, Home Depot Inc
and Anthem Inc.
The rules lay out steps that New York banks and insurers
must take to protect their networks and customer data from
hackers and disclose cyber events to state regulators.
Firms, for example, must scrutinize security at third-party
vendors that provide them goods and services. They must also
perform risk assessments in order to design a cyber security
program particular to them. Covered entities must annually
Institutions subject to the regulation include
state-chartered banks, as well as foreign banks licensed to
operate in the state, along with insurers that do business in
The NAIC task force is about to develop its fourth draft of
a proposed model cyber security law since forming in 2015.
Insurance commissioners have been unable to reach a consensus on
several points, including standards for circumstances in which
insurers must notify customers of a breach.
Model laws, which cover a variety of subjects, typically
lead to more uniformity among states. But they first must be
finalized and approved by organizations developing them before
being considered by state lawmakers.
The task force is aiming to develop another draft by May 9.
(Editing by Lisa Shumaker)