Cyber Regulations Require More
Tips for complying with New York’s sweeping cyber-security regulation as you acquire.
You are in the agency acquisition business, and your due diligence list is long.
After you work through the pro formas and verify (or correct) the projected financials, you work through all of the agency contracts, review fees and commission agreements, verify licensure status, and review a whole host of other business issues and regulatory compliance obligations to ensure you are not buying a pig in a poke or a ticket to an administrative enforcement proceeding.
Verifying that the requisite software licenses are in place and reviewing privacy protections and data protection protocols have been on your list for a while, but the new cyber-security regulatory regimes beginning to take effect around the country will require more. First out of the blocks was the New York Department of Financial Services’ sweeping cyber-security regulations, which took effect two years ago.
This means a prospective acquirer must examine the extent to which the “acquiree” handles non-public information as well as other factors, including the soundness of its data systems and the extent to which those systems are integrated with one another.
Under those regulations, which we have written about extensively, insurance brokerage firms and anyone else licensed by the department are required to establish and maintain prescribed cyber-security programs to protect their systems and data. The precise scope of the program will vary based on the size of the firm’s New York-related business and the firm’s assessment of its cyber-security risks and exposures, which is mandated by the department. (Firms that employ fewer than 10 employees living in New York and that do not generate at least $5 million in New York-related revenue have a more streamlined set of compliance obligations.)
The applicable rules require your firm to assess your business’s cyber risk in light of the non-public information you collect and store, the information systems you use, and the effectiveness of your system access controls. And these risk assessments are not a one-and-done affair; they must be conducted periodically and documented.
Acquiring Cyber Risk
When you acquire another firm, you must step through an analogous risk-assessment process. The department has thus made clear that “when Covered Entities are acquiring or merging with a new company, Covered Entities will need to do a factual analysis of how [the cyber-security] regulatory requirements apply to that particular acquisition.” New York’s Department of Financial Services (DFS) has emphasized that acquirers “need to have a serious due diligence process” and should prioritize cyber-security when considering any new acquisitions. In other words, any due diligence conducted for a merger or acquisition must consider the target’s cyber-security risk profile and must evaluate the extent to which it is in compliance with the department’s cyber-security rule requirements.
This means a prospective acquirer must examine the extent to which the “acquiree” handles non-public information as well as other factors, including the soundness of its data systems and the extent to which those systems are integrated with one another.
If the target acquisition is not in compliance with its pre-acquisition regulatory obligations, the acquirer is getting not just the non-compliant target company with its inherent cyber-security risk but also all the attendant regulatory liability. In the case of New York’s DFS, this means the acquirer could be opening itself up to significant financial penalties and putting its licensure status at risk.
Post-Acquisition Plan
You also should have a post-acquisition cyber integration plan in place to integrate the acquired firm into your business and into your cyber-security program so you do not create new cyber (and related business) risks. The firm should be in full compliance with its pre-merger rule requirements on Day 1. If the acquired firm’s obligations are expanded (or created) as a result of the merger itself—if, for example, it would no longer qualify for the “New York small business” partial exemption—you will have 180 days from the end of the most recent fiscal year in which you ceased to qualify for the applicable exemption to come into full regulatory compliance.
The complexity of the applicable requirements and the challenges of the M&A due diligence process have been magnified by the Third Party Service Party requirements, which took effect March 1. Third Party Service Party companies provide services to the covered entity and maintain, process or have access to the covered entity’s non-public information because of that relationship. The New York rule requires all covered entities to have cyber-security policies and procedures to which each of its Third Party Service Party companies are bound based on the level of access to your systems and the risks that each company presents.
And you also must somehow monitor each Third Party Service Party’s compliance with those requirements even if they are directly bound by New York’s cyber-security regime.
A further complication: last fall New York “clarified” that your firm must comply with the Third Party Service Party requirements even if it is also a covered entity and has its own cyber-security regulatory compliance obligations. Your firm thus must independently assess the cyber-security protocols to which your firm needs each of your Third Party Service Parties to adhere to fortify your firm’s own cyber-security program. And you also must somehow monitor each Third Party Service Party’s compliance with those requirements even if they are directly bound by New York’s cyber-security regime. You cannot, according to the DFS, merely rely on the mandated certificate of compliance with the cyber-security rule of a Third Party Service Party that also is a covered entity to satisfy your firm’s cyber-security program requirements.
A carrier likely will consider all of the firms for which it has made an agency appointment to be Third Party Service Parties under these rules (in part because that is the example the financial services agency used in making its “clarification”). Unless your firm has access to carrier data beyond data related to your firm’s own clients, however, we believe the carriers should be able to rely on your compliance with the applicable cyber-security requirements. Moreover, we also believe a carrier should be able to satisfy any applicable cyber-security program compliance monitoring obligation by relying on a firm’s independent audit process. In other words, a firm should be able to present the results of an annual cyber-security program review to all of the carriers for which it may be acting in a Third Party Service Party capacity.
Our near-term mission is to facilitate an industrywide discussion on the appropriate Third Party Service Party cyber-security program compliance monitoring protocols (those discussions are now under way). In the meantime, it is critical that acquiring companies prioritize these cyber-security policy and program issues during their due diligence and integration processes.
Rigamonti is a senior associate in Steptoe’s Government Affairs & Public Policy group. erigamonti@steptoe.com
