/ /

What Keeps Me Up At Night

Stephen Ruchman

Over the years, I’ve written a lot about how independent agents are burdened more and more by business expenses we just didn’t used to have. Some of these costs can be attributed directly to insurance company cost-transferring: things like reductions in commission and profit sharing; front-line underwriting; loss control and even printing policies ourselves, rather than the carrier printing and sending them to the client directly. Others are a result of the technological evolution: purchasing and upgrading agency management systems; digital marketing; online training for our staff…the list goes on and on.

I understand that “progress” dictates that we stay up-to-date and that “efficiencies” have been won with the digital revolution. But, I am not so naïve to think that agents are saving as much as carriers or even our mutual customers as a result of it. And, it seems, with each new advancement, we face another cost and another challenge. It’s tough out here.

This again came to mind for me when I heard about the New York State Department of Financial Services’ proposed cyber regulations, first published in September this past year. “Great, more new expenses,” I thought. And not just the expense that comes from implementing programs and policies to comply, but also the penalties that will come if we don’t.”

The cyber regulations were revised after significant input from PIANY, which has been actively working with the department, conveying the producer community’s grave concerns and affecting some amendments to the proposed regulation. The association has been providing all agents—not just members and not just agents in New York state—with information, tools and education about this new regulation, because it recognizes their significance to everyone in our industry.

Some noteworthy changes PIANY was able to achieve, working with the business community, its members and the department, include: pushing back the effective date three months to March of 2017; and obtaining the concession that many of the requirements will now be phased in over a period of one-to-two years. Other changes include defining overly broad terms like “third-party service providers,” and “cyber events” and, importantly, refocusing the regulation on the risks a business is likely to face, which will be determined by a “risk assessment.”

Perhaps the most publicized amendment to the regulation announced in December is a revision that identifies entities that qualify for a “limited exemption”—these now include agencies with fewer than 10 employees, with less than $5 million in gross revenue, or less than $10 million in year-end total assets. While these are changes in the right direction, PIA recognizes this is not a total “win” for any agency: Even if an agency qualifies for the “limited exemption,” it will still be required to comply with new requirements in the regulation, including conducting periodic risk assessments; establishing a cybersecurity program and implementing an internal policy to protect its information systems; limiting and reviewing internal access privileges within the agency and securing data accessible to third-party service providers; establishing procedures to dispose of information and notifying the superintendent when cybersecurity events occur. This is an enormous undertaking for an independent insurance agent—Huge!

What’s frightening is that the subject of cybersecurity makes most of our eyes glaze over, until we become victim to a cybercrime, it affects our bottom line, or both. I know I would not be as concerned about this if not for the information and assistance of PIA. I worry that many agencies may be unaware of this new business burden (and its associated costs). And they become concerned only when it could be too late: after their business has fallen victim to a cyber event, and they face the additional injury of penalties and fines from the state for noncompliance with these regulations.

As I mentioned, PIA has been working hard to mitigate what it can of the regulation, inform the industry about the new rules, and provide a turnkey solution that all agencies can access to protect themselves and make sure that they don’t face fines for noncompliance. It’s another way PIA has helped me sleep better at night.