Latest News

Addendum: for use with New York Life and Health online ExamFX courses and study guide version 20781en/20782en, per exam content outline updates effective September 7, 2017. 

The following are content additions to supplement your existing text:

Insurance Regulation

1. State Regulations

Cyber Regulation – new section in the course

In an effort to combat the ever-increasing menace of hackers extracting sensitive data from companies’ databases, the state of New York has instituted a new regulation outlining the minimum standards for a required cybersecurity program (23 NYCRR 500).

All financial services companies must implement and maintain a cybersecurity program designed to prevent cyberattacks and recover if one occurs.

1. Definitions

Covered Entity: any person operating under a license, registration, certificate, or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law.

Cybersecurity Event: any effort to obtain unapproved access to an Information System (or information stored on it), whether successful or unsuccessful.

Information System: an organized system that collects, maintains, and transmits electronic Nonpublic Information.

Nonpublic Information: any business-related information that is not publicly available information that if misused could jeopardize a covered entity’s security and operations; any personally identifiable information (such as social security number or credit card numbers); and any information (other than age and gender) related to health care.

Multi-Factor Authentication: authentication through verification of at least two factors:

1. Knowledge factor such as a password;
2. Possession factors such as a token or text message on a mobile phone; or
3. Inherence factors, such as a biometric characteristic.

Penetration Testing means a test method where assessors attempt to circumvent or defeat the security features of an information system by attempting to penetrate databases or controls from outside or inside the information systems.

Chief Information Security Officer (CISO): Each covered entity must designate a qualified individual for overseeing and implementing its cybersecurity program and enforcing its cybersecurity policy.

1. Cyber security Program

Each nongovernmental Person operating under the New York Department of Financial Services must design, implement, and maintain a Cybersecurity Plan based on its Risk Assessment that ensures the confidentiality, integrity, and availability of Information Systems. The 6 critical functions of the Cybersecurity Program are:

1. Identify cybersecurity risks;
2. Use defensive infrastructure and put policies and procedures in place to prevent cybersecurity risks;
3. Monitor and recognize cybersecurity events;
4. Counter any attacks to reduce undesirable outcomes;
5. Recover from such events; and
6. Report the event as obligated.

The Cybersecurity Policy is an approved written document that identifies the policies and procedures in place to keep the Information System safe, and must encompass the following:

• Information security;
• Data governance and classification;
• Asset inventory and device management;
• Access controls and identity management;
• Business continuity and disaster recovery planning and resources;
• Systems operations and availability concerns;
• Systems and network security and monitoring;
• Systems and application development and quality assurance;
• Physical security and environmental controls;
• Customer data privacy;
• Vendor and third-party service provider management;
• Risk assessment; and
• Incident response.

Covered Entities must make sure that the nonpublic information and information systems accessible by Third-Party Service Providers (those who are authorized to access nonpublic information) are kept safe. To do that, the policies and procedures set forth must include the following:

• Identification and risk assessment of third-parties with access to such information;
• Minimum cybersecurity practices that must be upheld by third-party service providers;
• Processes in place to judge the effectiveness of the third-party’s cybersecurity practices;
• Annual (at minimum) evaluation of third-parties and their cybersecurity practices.

1. Training and Monitoring

As part of its cybersecurity program, each Covered Entity must:   

1. Implement risk-based policies, procedures and controls designed to monitor the activity of authorized users and detect unauthorized access or use of, or tampering with, nonpublic information by such authorized users; and
2. Provide regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the covered entity in its risk assessment.

After a cybersecurity event has been discovered, an insurer or its agents must report the event to the Department of Financial Services within 72 hours.

HEALTH

Chapter VI. Medical Plan

1. Medical Plan Concepts

Coordination of Benefits

When an individual has coverage under 2 or more insurance policies, guidelines are established as to the order and amount of payment by the policies. When the policies contain a coordination of benefits provision, primary and secondary/excess policy order is determined to prevent an insured from collecting more than 100% of the covered medical expenses. If one of the in force policies does not contain a coordination of benefits provision, that policy will be deemed to be the primary policy with regards to determining payment of claims. If none of the policies contain a coordination of benefits provision, the policy that has provided coverage to the insured for the longer period of time is usually deemed to be primary.

Addendum: for use with New York Property and Casualty online ExamFX courses and study guide version 20653en, and Personal Lines course and study guide version 20782en per exam content outline updates effective September 7, 2017.

The following are content additions to supplement your existing text:

Chapter II. General Insurance

1. Insurers

Risk Retention and Risk Purchasing Groups

A risk retention group (RRG) is a liability insurance company owned by its members. The members are exposed to similar liability risks by virtue of being in the same business or industry. The purpose of a risk retention group is to assume and spread all or part of the liability of its group members. A risk retention group may reinsure another risk retention group's liability as long as the members of the second group are engaged in the same or similar business or industry.

A risk purchasing group is an entity which offers insurance to groups of similar businesses with similar exposures to risk. The policy is based on the insured's loss and expense experience and is not afforded to other policyholders with respect to rates, policy forms, or coverages. Such programs and the groups that offer them are exempt from most state laws, rules, and regulations, except for the state in which the group is domiciled.

Chapter XII. Insurance Regulation

1. State Regulations

Cyber Regulation

In an effort to combat the ever-increasing menace of hackers extracting sensitive data from companies’ databases, the state of New York has instituted a new regulation outlining the minimum standards for a required cybersecurity program (23 NYCRR 500).

All financial services companies must implement and maintain a cybersecurity program designed to prevent cyberattacks and recover if one occurs.

1. Definitions

Covered Entity: any person operating under a license, registration, certificate, or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law.

Cybersecurity Event: any effort to obtain unapproved access to an Information System (or information stored on it), whether successful or unsuccessful.

Information System: an organized system that collects, maintains, and transmits electronic Nonpublic Information.

Nonpublic Information: any business-related information that is not publicly available information that if misused could jeopardize a covered entity’s security and operations; any personally identifiable information (such as social security number or credit card numbers); and any information (other than age and gender) related to health care.

Multi-Factor Authentication: authentication through verification of at least two factors:

1. Knowledge factor such as a password;
2. Possession factors such as a token or text message on a mobile phone; or
3. Inherence factors, such as a biometric characteristic.

Penetration Testing means a test method where assessors attempt to circumvent or defeat the security features of an information system by attempting to penetrate databases or controls from outside or inside the information systems.

Chief Information Security Officer (CISO): Each covered entity must designate a qualified individual for overseeing and implementing its cybersecurity program and enforcing its cybersecurity policy.

1. Cyber security Program

Each nongovernmental Person operating under the New York Department of Financial Services must design, implement, and maintain a Cybersecurity Plan based on its Risk Assessment that ensures the confidentiality, integrity, and availability of Information Systems. The 6 critical functions of the Cybersecurity Program are:

1. Identify cybersecurity risks;
2. Use defensive infrastructure and put policies and procedures in place to prevent cybersecurity risks;
3. Monitor and recognize cybersecurity events;
4. Counter any attacks to reduce undesirable outcomes;
5. Recover from such events; and
6. Report the event as obligated.

The Cybersecurity Policy is an approved written document that identifies the policies and procedures in place to keep the Information System safe, and must encompass the following:

• Information security;
• Data governance and classification;
• Asset inventory and device management;
• Access controls and identity management;
• Business continuity and disaster recovery planning and resources;
• Systems operations and availability concerns;
• Systems and network security and monitoring;
• Systems and application development and quality assurance;
• Physical security and environmental controls;
• Customer data privacy;
• Vendor and third-party service provider management;
• Risk assessment; and
• Incident response.

Covered Entities must make sure that the nonpublic information and information systems accessible by Third-Party Service Providers (those who are authorized to access nonpublic information) are kept safe. To do that, the policies and procedures set forth must include the following:

• Identification and risk assessment of third-parties with access to such information;
• Minimum cybersecurity practices that must be upheld by third-party service providers;
• Processes in place to judge the effectiveness of the third-party’s cybersecurity practices;
• Annual (at minimum) evaluation of third-parties and their cybersecurity practices.

1. Training and Monitoring

As part of its cybersecurity program, each Covered Entity must:   

1. Implement risk-based policies, procedures and controls designed to monitor the activity of authorized users and detect unauthorized access or use of, or tampering with, nonpublic information by such authorized users; and
2. Provide regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the covered entity in its risk assessment.

After a cybersecurity event has been discovered, an insurer or its agents must report the event to the Department of Financial Services within 72 hours.