Certain captive insurers and risk retention groups (RRGs) must remain vigilant against cyber threats, despite exemption from the new rules in effect in New York, according to A.M. Best.
The rating agency warned in a new briefing that it has been heightening its focus on cyber liability, which now forms part of its assessment of a company’s risk management practices.
“Understanding a company’s vulnerabilities and the safeguards to deal with potential cyber threats is a subset of A.M. Best’s view of a company’s enterprise risk management,” the rating agency explained in a foreword to the briefing.
Pure captives, industrial insured group captives and RRGs were among those exempted from the final New York State Department of Financial Services (NYDFS) cyber security rules, which went into effect on 1 March.
Exempt insurers still need to file a certificate of exemption with the NYDFS within 30 days.
The new rules require banks, insurance companies and other financial services institutions regulated by the NYDFS to establish and maintain cyber security programmes designed to protect consumers’ private data and ensure industry safety.
Requirements include conducting periodic risk assessments, maintaining a cyber security programme based on the risk assessment, complying with governance and staffing requirements, and providing regular cyber security awareness training.