Expect Focus Life, Annuity, and Retirement Solutions, December 2021

Regulators Forecast Storm of Cybersecurity Activity

Life, Annuity, and Retirement Solutions   |   Cybersecurity and Privacy   |   Financial Services Regulatory   |   Securities & Investment Companies   |   Life, Annuity, and Retirement Solutions   |   January 11, 2022

In September and October 2021 alone, the Federal Trade Commission, the New York State Department of Financial Services, and the Securities and Exchange Commission all signaled their plans for a cybersecurity squall.


On September 13, 2021, the Federal Trade Commission (FTC) submitted a report to Congress identifying four priority areas for its ongoing data privacy and security work. Most significant for life insurers is the agency’s plan to expand its understanding and guidance regarding the use of algorithms, which could impact life insurers’ underwriting processes. The FTC also requested that Congress “enact privacy and data security legislation, enforceable by the FTC,” for which the FTC sought expanded “civil penalty authority [and] APA rulemaking authority.” The FTC followed up the report by releasing revisions to its Safeguards Rule and a supplemental notice of proposed rulemaking to require reporting to the FTC within 30 days of security incidents reasonably likely to impact 1,000 or more consumers.


On October 22, 2021, the New York State Department of Financial Services (DFS) issued a letter clarifying that covered entities remain responsible for their cybersecurity obligations, irrespective of reliance on an affiliate’s cyber program. When a covered entity adopts some or all of an affiliate’s cybersecurity program, the entity must “make available to DFS, upon request, all ‘documentation and information’ relevant to their cybersecurity programs … includ[ing] … programs adopted from an affiliate.” For covered entities relying on affiliates not otherwise regulated by DFS, this will require contractual provisions:

  • Requiring the affiliate to comply with the requirements of the cybersecurity regulation with respect to any of the affiliate’s information systems that are shared with the covered entity; and
  • Providing the covered entity with access, “at a minimum,” to the affiliate’s cybersecurity policies and procedures, risk assessments, penetration testing, and vulnerability assessment results, and any third-party audits that relate to the adopted portions of the cybersecurity program of the affiliate.


On October 29, 2021, SEC Commissioner Elad Roisman gave a speech in which he encouraged entities to:

  • Learn from the SEC’s cybersecurity guidance, especially cybersecurity and resiliency observations it published in January 2020; and
  • Take steps to prevent and mitigate damage from cybersecurity attacks, including:
    • Having an incident response plan;
    • “Identifying, ahead of time, certain providers and experts that a registrant should call in the event of a cyber-incident”; and
    • Performing a “tabletop” exercise.

Roisman also expressed his support for continued enforcement actions and his belief that the SEC should “consider rules that provide registrants — particularly investment advisers and public issuers — with more of an idea of what we expect of them in today’s marketplace,” especially regarding breach notification.

On top of all this, the NAIC is establishing a new Innovation, Cybersecurity, and Technology (H) Committee, including a Cybersecurity (H) Working Group. A draft of the Working Group’s charges includes:

  • Monitoring cybersecurity trends with the potential to affect the insurance industry;
  • Advising on the development of cybersecurity training for state insurance regulators;
  • Promoting communication across state insurance departments regarding cybersecurity risks and events;
  • Overseeing the development of a regulatory cybersecurity response guidance document to assist state insurance regulators investigating insurance cyber events;
  • Coordinating NAIC committee cybersecurity work across working groups;
  • Working with the Center for Insurance Policy and Research to analyze cybersecurity-related information;
  • Supporting state implementation efforts related to adopting the Insurance Data Security Model Law (#668); and
  • Engaging with federal and international supervisors and agencies on managing and evaluating cybersecurity risk.

Ready your shovels and salt, the forecast is looking icy.



©2023 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.

Subscribe to Publications


The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.