Section

Sub Section

Description

Documentation and Reference

500.02 Cyber Security Program
a Cyber security Program. Each Covered Entity shall maintain a cyber security program designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems. Vanner Insurance maintains a comprehensive Cyber security Program to protect the  confidentiality and integrity of its Information Systems.
b The cyber security program shall be based on the Covered Entity’s Risk Assessment and designed to perform the following core cyber security functions Implemented
b(1) identify and assess internal and external cybersecurity risks that may threaten the security or integrity of Nonpublic Information stored on the Covered Entity’s Information Systems A regular quarterly review is conducted of all possible threats and measures are taken to mitigate those threats
b(2) use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity’s Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts Vanner Insurance maintains a multi-level system of controls and defensive components to protect it’s information systems to include, but not limited too, State full Packet Firewalls, Anti-Virus and Anti-Malware protection, User based permissions and account controls, cloud based perimeter defense inspection and control systems.
b(3) detect Cyber security Events Vanner Insurance maintains Intrusion Detection Features on it’s firewalls and a system of alerting to threats via 24×7 Remote Monitoring and Management (RMM) of all devices, endpoints and network connection sources.
b(4) respond to identified or detected Cybersecurity Events to mitigate any negative effects Vanner insurance maintains a documented Threat Response Process and Checklist Available for Inspection
b(5) recover from Cybersecurity Events and restore normal operations and services Vanner Insurance maintains a Data Backup and Disaster Recovery Procedure and Policy Click Here For More Information
b(6) fulfill applicable regulatory reporting obligations Vanner Insurance can make all policies and documentation available to relevant parties and authorities upon request
c A Covered Entity may meet the requirement(s) of this Part by adopting the relevant and applicable provisions of a cybersecurity program maintained by an Affiliate, provided that such provisions satisfy the requirements of this Part, as applicable to the Covered Entity. Comprehensive Cybersecurity Program has been adopted and will be maintained by an Affiliate (IT Manager)
d All documentation and information relevant to the Covered Entity’s cybersecurity program shall be made available to the superintendent upon request Vanner Insurance will make any and all documentation available upon request.
500.03 Cyber Security Policy. Each Covered Entity shall implement and maintain a written policy or policies, approved by a Senior Officer or the Covered Entity’s board of directors (or an appropriate committee thereof) or equivalent governing body, setting forth the Covered Entity’s policies and procedures for the protection of its Information Systems and Nonpublic Information stored on those Information Systems. The cybersecurity policy shall be based on the Covered Entity’s Risk Assessment and address the following areas to the extent applicable to the Covered Entity’s operations: Written policy implemented and approved by Vanner’s CFO
a information security All staff shall comply with information security procedures including the maintenance of data confidentiality and data integrity. Failure to do so may result in disciplinary action. Each member of staff shall be responsible for the operational security of the information systems they use. Each system user shall comply with the security requirements that are in force, and shall also ensure that the confidentiality, integrity and availability of the information they use is maintained to the highest standard.
b data governance and classification A consistent system for the classification of information within the organization. Vanner Insurance shall implement appropriate information classification controls, based on the results of formal risk assessment and guidance.
c asset inventory and device management All inventory of Vanner owned devices will be kept in an electronic reference and reporting system available on demand to any authorized Vanner officer or approved manager. All Vanner devices are currently inventoried  and managed through our 3rd Party Vendor’s Remote Management and Monitoring system (RMM).
d access controls and identity management Access to company’s network and servers, whether or not in the physical sense of the word, shall be via unique logins that require authentication in the form of either passwords, biometrics, ID cards, or tokens.
e business continuity and disaster recovery planning and resources  Contingency plan implemented.  If there is a suspicion of any cybersecurity threat, the IT Manager will notify the CFO, via cell phone; immediately and our Third Party Technology Systems Integrator via cell phone.  In the event that the IT Manager is not available, the Director of Operations for the Commercial Lines will make notification.  Once the threat has been contained, the CFO will send emails to the 1. NYS Division of State Policy/NYS Intelligence Center 2. NYS Attorney General’s Office and 3. NYS Department of State Division of Consumer Protection.  The CFO will also be responsible for notifying the mass media.  For additional information, please click here.
f systems operations and availability concerns
g systems and network security Vanner Insurance shall continue to implement, assess and regularly enhance by all reasonable means systems and protocols to ensure the security of its internal IT network.
h systems and network monitoring Vanner Insurance will monitor critical systems and network infrastructure (Servers, Applications, Voice Communications) 24x7x365 using our 3rd Party Vendors RMM System
i systems and application development and quality assurance Vanner does not currently develop it’s own IT systems or application in-house.
j physical security and environmental controls Vanner shall at all times, maintain physical security by means of physical or electronic locking and other security measures of all areas of its building that are used to stage, store and operate it’s Information Technology equipment and data
k customer data privacy Vanner shall, at all times, maintain the security of customer data that is housed and stored in it’s internal network. Vanner shall use a multi-layered system of controls and polices to ensure that all customer data is properly protected to include but not be limited too the following:
1. Access control systems requiring unique user names and passwords. (Microsoft Active Directory)
2. Network security devices to protect its network from outside intrusion (Network Firewall)
3. Perimeter security services to inspect and manage inside requests for Internet access (Cisco Umbrella)
4. Encrypted email to protect customer information that is transmitted to outside 3rd Parties (ZixMail)
l vendor and Third Party Service Provider management Vanner shall, on a regular basis, review and inspect the policies, procedures and work of it’s third party IT providers.
m risk assessment Vanner, along with it’s third party IT providers shall annually conduct a risk assessment of its IT security and systems to ensure that the highest level or protection is in place to protect its electronic assets.
n incident response Need Development of Vanner Incident Reponses Protocol
500.07 Access Privileges. As part of its cybersecurity program, based on the Covered Entity’s Risk Assessment each Covered Entity
shall limit user access privileges to Information Systems that provide access to Nonpublic Information and shall
periodically review such access privileges.
Vanner Insurance maintains a current access list of user accounts and permission groups limiting and managing access to all areas of Vanner’s IT systems. This list is reviewed regularly to ensure that the access permissions of it’s users are appropriate and up-to-date.
500.17 Notices to Superintendent
a Notice of Cybersecurity Event. Each Covered Entity shall notify the superintendent as promptly as possible but in no event later than 72 hours from a determination that a Cybersecurity Event has occurred that is either of the following CFO will make necessary notifications – Form location
a(1) Cybersecurity Events impacting the Covered Entity of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body; or
A(2) Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.
Reporting Entities
1.  New York State Office of Information Technology Service  * Enterprise Information Security Office * Security Breach Notification * 1220 Washington Avenue * State Office Campus * Building 5, 1st Floor * Albany, Ny 12226 * eiso@its.ny.gov
2.  New York State Attorney General’s Office * Consumer Frauds & Protection Bureau * Security Breach Notification * 120 Broadway – 3rd Floor * New York, NY 10271 * breach.security@ag.ny.gov
3.  New York State Department of State, Division of Consumer Protection * Attention: Director of the Division of Consumer Protection * Security Breach Notification * 99 Washington Avenue, Suite 650 * Albany, NY 12231 * security_breach_notification@dos.ny.gov