New CE Requirements

Take note that the Department of Financial Services (“DFS”) has finalized its regulation which as been in the works for some time regarding heightened continuing education for agents and brokers. The revised regulation now requires enhanced flood insurance education for insurance producers who sell flood insurance through the National Flood Insurance Program. In addition, DFS is the first state regulator to require education in diversity, inclusion and the elimination of bias for its insurance producer and public adjuster licensees.

The regulation takes effect November 12, 2021 and applies to licenses renewed on or after April 1, 2022. A copy of the regulation can be found here.

Cyber Security

It’s helpful to keep an eye on DFS’s cybersecurity FAQs. Two new FAQs have been posted which are worth a read:

When there is a Cybersecurity Event at a Third Party Service Provider that affects a Covered Entity, is that Covered Entity required to notify DFS even if the Third Party Service Provider notifies DFS on the Covered Entity’s behalf?

Yes. Under 23 NYCRR Section 500.17(a), “[e]ach Covered Entity shall notify the superintendent as promptly as possible but in no event later than 72 hours from a determination that a Cybersecurity Event has occurred.” Thus, if a Cybersecurity Event at a Third Party Service Provider affects a Covered Entity, then the Covered Entity itself must provide notice to DFS directly – regardless of whether the Third Party Service

Provider is also a Covered Entity or offers to provide notice on the Covered Entity’s behalf. Reporting Cybersecurity Events to the Department is not only an important obligation of all Covered Entities, but also enables the Department to more rapidly identify techniques used by attackers so that DFS can alert industry, respond quickly to new threats, and continue to effectively protect consumers and the financial services industry.

 Are cloud-based email, document hosting, and related services part of a Covered Entity’s internal networks which would require the use of Multi-Factor Authentication (“MFA”) pursuant to 23 NYCRR § 500.12(b)?

 Yes. Under Section 500.12(b), MFA is required when accessing internal networks from an external network unless the Covered Entity’s Chief Information Security Officer has approved in writing the use of reasonably equivalent or more secure access controls. Internal networks include email, document hosting, and related services whether on-premises or in the cloud such as, for example, O365 and G-Suite. These services contain Nonpublic Information that Covered Entities are required to protect.

DFS’s Cyber FAQs can be found here.

Not surprisingly, as the cyber security regulation, known as Part 500, has been in effect for almost five years now, we will continue to see consent orders for cybersecurity violations. Most recently, LifeMark Securities Corporation, after self-reporting a cybersecurity breach, was found to have failed to implement written policies and procedures designed to ensure the security of -public information accessible to, or held by, its Third-Party Service Providers. LifeMark was issued a $150,000 fine.

Disciplinary Actions

Last month, an agent’s license was revoked and his appointments were terminated for cause by Prudential for submitting forms related to annuity applications that contained non-genuine signatures, in violation of Company policy. In addition, there continues to be numerous fines for failing to report disciplinary actions taken by another state.