NEW YORK AMENDS ITS CYBER SECURITY REGULATION (23 NYCRR 500) EXEMPTING FOREIGN RISK RETENTION GROUPS

Los Angeles, California
February 21, 2017

The National Risk Retention Association (NRRA) announced that on February 16, 2017  the state of New York released a second set of revisions to 23 NYCRR 500, this time finally exempting non-domiciliary, or foreign, risk retention groups from compliance.  On November 11, 2016, NRRA escalated its opposition to the regulation with a firm letter to the NY Department of Financial services, stating that, while recognizing the regulation did exempt smaller companies, the onerous requirements of the regulation were nevertheless completely preempted by the Liability Risk Retention Act, 15 U.S.C. 3901(a) (LRRA), which NRRA argued would exempt all RRGs from compliance.   

On September 13, 2016, New York Governor Andrew M. Cuomo announced the first in-the-nation proposed cybersecurity regulation designed to protect consumer data and financial systems….”  The regulation imposes standards for the establishment of a cybersecurity program, a written cybersecurity policy, the designation of a Chief Information Security Officer as well as policies and procedures to protect information systems and non-public information accessible by third-parties. The proposed regulation also mandates security policies and procedures provisions to be included in “third-party” service provider contracts. 

Compounding the illegal preemption issue as to non-domiciliary RRGs, NRRA felt that the regulation also poses a possible existential threat to all companies which might now be facing the prospect of numerous other states following the lead of New York and thereby adopting their own potentially inconsistent cyber regulations.

NRRA has made it clear that it is certainly not opposed to “cyber protection” and has never questioned the prerogative of the domiciliary states to impose consistently reasonable and sensible cyber requirements for their home state RRGs.  The NAIC has been working on a model cyber data protection law, but unless it ever passes one, and even if it does, there should be concern that more states will try to follow New York. There has to be a uniform, reasonable, and scalable set of rules that can be followed so that the industry can avoid problems like RRGs potentially faced in New York before the LRRA came to their rescue.

The newly inserted exemption can be found at new section 500.19 (f), including “persons subject to NY Insurance law section 5904” (Risk Retention Groups not Chartered in this State.)  NRRA thanks other industry leaders, domicile regulators, and key members of the association for their support of its activities in this and other initiatives seeking to protect the interests of RRGs and PGs nationwide.

ABOUT THE NATIONAL RISK RETENTION ASSOCIATION

The National Risk Retention Association (NRRA) was formed in September 1987 as a 501(c)(6) non-profit trade association and is the only national association dedicated to the successful development, education and promotion of U.S. domiciled alternatives to traditional liability insurance. NRRA provides high-level, rapid advocacy and a forum where the country's most knowledgeable individuals in risk retention insurance may exchange valuable and timely information. For more information, visit www.riskretention.org and see details on NRRA's Annual Conference on September 26-28, 2017 at the Sofitel Chicago Magnificent Mile Hotel. This year’s theme: “Business to Business – the NRRA Edge.” 

For further information on NRRA's advocacy and member services, contact Joe Deems, Executive Director, NRRA, at (818) 995-3274, email: joe.deems@gmail.com, or visit www.riskretention.org.