Key takeaways

• On Thursday, March 26, New York State’s Department of Financial Services (DFS) announced a major expansion of its cybersecurity efforts: DFS will require insurers to respond to a special “comprehensive risk assessment” on cybersecurity, with those assessments to be followed by an enhanced focus on cybersecurity as part of DFS’s regular examinations of insurers.
• DFS has not promulgated specific cybersecurity standards, but it is strongly suggesting what it considers best practices by the questions it asks. We have previously called that “regulation by implication” – the questions themselves imply answers that the agency is likely to prefer.
• Although the most recent DFS guidance specifically applies only to the insurers it regulates, companies in all industries may find the DFS “308 letter” a useful checklist for assessing their own cybersecurity posture.