b'TABLE OF CONTENTSCYBERSECURITY & DATA PRIVACYAdoption of the Model Law has steadily increased.The strategy should be proportionate with each In 2019 and 2020, many more states adopted theinsurers risk based on the insurers size, resources, Model Law, including Alabama, Connecticut,geographic distribution, and other factors, and Delaware, Indiana, Louisiana, Mississippi, Newincorporate best practices, such as obtaining Hampshire and Virginia. cybersecurity expertise through hiring practices.In 2021, adoption continued with Hawaii, Iowa,February 16, 2021Cyber Fraud Alert regarding Maine, Minnesota, North Dakota, Tennessee andInstant Quote Websites/Nonpublic Information (NPI):Wisconsin each adopting the Model Law. We expectThe NYDFS issued an alert informing industry of a additional adoptions of the Model Law in 2022. campaign to exploit cybersecurity flaws in public-Further, the Federal Trade Commission (FTC)facing websites. Specifically, the NYDFS noted that adopted revisions to its safeguarding rule that arethis system of attacks was focused on stealing NPI largely based on the NYDFS cybersecurityfrom public-facing websites that display or transmit regulation (and therefore, are broadly consistentconsumer NPI, including websites that provide an with the Model Law). Even though the FTC rule doesinstant insurance quote. Bad actors may impersonate not apply to insurance licensees, it may apply toa customer, enter publicly available information in the affiliates, service providers, and counterparties ofquote form, and collect the nonpublic information insurance licensees and is evidence of the broadthat is returned by the insurer. The NYDFS urged all acceptance of the principles in the Model Law. regulated entities with instant quote websites to review those websites for evidence of hacking and New York Department of Financial Services implement any remedial steps. The NYDFS also The NYDFS remained a national leader inrecommended that insurers review their disclosure cybersecurity regulation by issuing extensive newpractices and disclose nonpublic information on or guidance for the insurance sector and taking actionthrough public-facing websites only if there is a against several insurers for noncompliance with itscompelling reason to do so.cybersecurity regulation. March 30, 2021Cyber Fraud Alert Regarding Prefilled Nonpublic Information: February 2, 2021Insurance Circular Letter No. 2The NYDFS issued a follow-up alert regarding the on Cyber Insurance Risk Framework:In this circular letter, the NYDFS created a risksystemic campaign to steal NPI from public-facing framework for cyber insurance that outlines industrywebsites. In light of the continuing cybercrime best practices for New York-regulated property- campaign, the NYDFS urged personal lines insurers casualty insurers that write cyber insurance. Theand other financial services companies to avoid framework suggests that insurers offering cyberdisplaying prefilled NPI on public-facing websites. It insurance should establish a formal strategy foralso reiterated that agent portals should be measuring cyber insurance risk that is directed andprotected by robust access controls. Finally, the approved by its board or other governing entity.NYDFS listed additional basic security steps that MAYER BROWN |135'