The NYDFS Cybersecurity Regulation (23 NYCRR 500) is a new set of regulations from the NY Department of Financial Services (NYDFS) that places cybersecurity requirements on all covered financial institutions
OVIA Insurance Agencies Cyber Security Policy
Third Party Service Questionnaire
Effective March 1, 2017, the Superintendent of Financial Services promulgated 23 NYCRR Part 500, a regulation establishing cybersecurity requirements for financial services companies. The following provides answers to frequently asked questions concerning 23 NYCRR Part 500. Terms used below have the meanings assigned to them in 23 NYCRR 500.01.
NYS DFS Cyber Security FAQ's
Oswego Valley Insurance Agencies LLC Cybersecurity policy
Date updated 04/12/17
”Policy” refers to the Information Security Policy.
”Agency” refers to Oswego Valley Insurance Agencies LLC.
”Clients” refers to the Agency’s clients, former & prospective clients.
”Information System” means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.
”Nonpublic Information” shall mean all electronic information that is not Publicly Available Information and is:
”Passwords” refers to a string of characters that, when possible, is at least 8 characters long and contains at least three of the following: upper case letter, lower case letter, a number, a special character (%, &, #, etc.).
”Person” means any individual or non-governmental entity, including but not limited to any non-governmental partnership, corporation, branch, agency or association.
”Third Party Servicer Providers” refers to a person that is not an affiliate of the Agency that provides services to the Agency and maintains, processes or is otherwise permitted access to Nonpublic Information through its provision of services to the Agency.
This Policy for Oswego Valley Insurance Agencies LLC (herein after referred to as “Agency”) is intended to create effective administrative, technical, electronic and physical protections to safeguard the personal information of the Agency’s Clients and employees, the Agency’s proprietary and confidential information, the physical security of our premises, and the integrity of our electronic systems so that they are best positioned to function smoothly without interruption.
This Policy sets forth the Agency’s procedures for electronic and physical methods of accessing, collecting, storing, using, transmitting, destroying, and protecting Nonpublic Information of Clients, the Agency and/or Agency employees and also the use of the Agency’s Systems by Agency employees and any authorized third parties, as deemed appropriate and/or required by applicable laws and regulations.
In formulating and implementing this Policy, we have:
All security measures contained in this Policy shall be reviewed and re-evaluated annually or when there is a change in applicable laws or regulations or in the business activities of Agency. The Agency reserves the right to modify this Policy at any time, with or without prior notice.
It shall be the responsibility of each Agency employee to carefully read, understand and adhere to this Policy. Each employee with access to Nonpublic Information shall receive training as necessary on this Policy.
The Agency has designated Clark Stanton as the “Information Security Coordinator” to oversee implementation of this Policy.
The Information Security Coordinator will be responsible for:
Nonpublic Information is to be accorded the highest level of confidentiality by the Agency and employees.
Examples of Nonpublic Information include, but are not limited to - first name and last name, or first initial and last name, and any one or more of the following:
The information listed in 1-4 above, even if it is not connected with a name, should each be treated as Nonpublic Information.
The Agency and its employees recognize that the Agency possesses Nonpublic Information in the following places, whether in the Agency’s premises or off site, and whether created or maintained by Agency or third parties on behalf of Agency:
This Policy is intended to protect Nonpublic Information possessed by the Agency from unauthorized access, dissemination and/or use.
Nonpublic Information may not be disseminated, communicated or stored on or through any social media websites or services, at any time or for any reason.
Employees will adhere to the Agency document retention schedule and requirements. When it is appropriate to destroy Agency records, paper and electronic records containing Nonpublic Information must be destroyed in a manner in which they cannot be read or reconstructed.
Unless otherwise directed by the Information Security Coordinator, a commercial shredding company will be used to destroy paper documents. When computers, digital copiers, scanners and/or printers with electronic storage capacity, or portable electronic devices and media are discarded, such disposal should be coordinated with the Information Security Coordinator, and care needs to be taken to ensure that the hard drives or other storage media are destroyed in a manner that all data becomes unreadable.
In addition to the measures taken to combat internal risks, the following measures will be taken to minimize external risks to the security, confidentiality and/or integrity of records containing Nonpublic Information:
IF A BREACH OF NONPUBLIC INFORMATION (CYBERSECURITY EVENT) OCCURS OR IS SUSPECTED
A security breach occurs when there is an unauthorized acquisition, dissemination, use or loss of Nonpublic Information. Each employee shall be responsible for notifying the Information Security Coordinator whenever he or she learns that there has been or may have been a security breach that may have compromised Nonpublic Information or other Agency information about Clients, employees or Agency business.
The Agency will take the following actions in the event of a security breach: