Select a locationselect a location

Legal Alerts

Search Legal Alerts
Search by date
Choose From Date
Choose To Date

Legal Alert: New York Department of Financial Services Issues 308 Request on Cyber Threats

June 11, 2013

On May 28, 2013, the New York State Department of Financial Services (DFS) sent inquiries to 31 of the largest life, health and property/casualty insurance companies pursuant to its authority under Section 308 of the New York Insurance Law.  These inquiries requested information on the policies and procedures the insurers have in place to protect against cyber-attacks.  Among the information requested by the DFS was the following:

  • Information on cyber-attacks to which the companies have been subject to in the past three years;
  • The cyber-security safeguards that the companies have put in place;
  • The companies’ information technology management policies;
  • The amount of funds and other resources dedicated to cyber-security at each company; and
  • The companies’ governance and internal control policies related to cyber-security.

The highly technical nature of the 308 letters will likely necessitate a joint effort of legal and information technology personnel to formulate responses.  The answers to some of the requests may have implications under New York’s insurance regulations (e.g., Regulation No. 173), HIPAA’s Security Rule (45 C.F.R. § 164) and similar regulations in other states.  Further, the 308 letter uses numerous terms that do not have well-defined meanings.  For example, the term “data loss prevention tools” is extremely vague and can be construed to include anything from a backup tape to sophisticated software systems.  Additionally, the term “mobile devices” could include anything from smartphones and iPads to thumb drives, laptops, external hard drives and CDs.  The 308 letter also refers to “cloud computing,” which, despite its common usage, does not have a clear definition. 

The 308 letters, which are similar to inquiries sent earlier this year by the DFS to large banks, follow New York Governor Andrew Cuomo’s recent formation of the Cyber Security Advisory Board, which is charged with advising the Administration on developments in cyber-security and making recommendations for protecting the state’s critical infrastructure and information systems.  The Governor first outlined his plans for the Advisory Board in January, and he named the members of the Board on May 10.  Board members include leading experts in cyber-security from both the public and private sectors.  Benjamin Lawsky, superintendent of the DFS, is co-chair of the Board. 

New York’s actions are illustrative of an increased focus on the cyber-security of “critical infrastructure” industries by government, both at the state and federal levels.  For example, in September 2012, Senator Jay Rockefeller (WV), chairman of the U.S. Senate Committee on Commerce, Science, and Transportation, sent a letter to the Chief Executive Officer of each Fortune 500 company requesting detailed information on their cyber-security practices.  Senator Rockefeller referred to potential cyber-attacks as an “unprecedented national security challenge.”

Over the past 10 years, the number and severity of cyber-attacks against U.S. companies has steadily increased.  Much of the increased activity stems from “cyber-activist” groups such as Anonymous, LulzSec and the Syrian Electronic Army.  There have also been several suspected attacks from state actors.  As the issue of cyber-security becomes more prevalent, additional state insurance departments are expected to issue requests similar to New York’s and  New York is likely to expand the scope and breadth of its inquiries.    

A press release issued by the DFS regarding the 308 letters is available at:

If you have any questions about this Legal Alert, please feel free to contact any of the attorneys listed or the Sutherland attorney with whom you regularly work.

Related Practices/Industries

Our Story

Eversheds Sutherland is an international law firm helping the Fortune 100, industry leaders, sector innovators and business entrepreneurs solve their biggest challenges and reach their business goals. Dedicated to unfaltering excellence in client service, we are known for our business savvy and industry intelligence, providing creative and custom solutions for each of our clients. Industry and business experience makes the difference for our clients.

click to watch Videocast: Eversheds Sutherland SALT Scoreboard – 2016 Year in Review
Videocast: Eversheds Sutherland SALT Scoreboard – 2016 Year in Review
Washington, DC
Washington, DC
© 2017 Eversheds Sutherland (US) LLP
Add this page to MYBRIEFCASE
News/Commentary - Legal Alert: New York Department of Financial Services Issues 308 Request on Cyber Threats
Save ChangesDownload MYBRIEFCASEClear All