About Matthew Lerner

Matthew Lerner is the business content writer at RIMS.

New York Cybersecurity Regs to Take Effect March 1

The state of New York is implementing sweeping new regulations designed to protect insurers, banks and others from the growing wave of electronic security breaches which are making headlines and causing headaches across the financial services industry.

The new rules, slated to take effect March 1, mandate that insurers, banks and other financial services institutions regulated by the Department of Financial Services (DFS) establish and maintain a cybersecurity program. In addition to setting program standards, the 12-page document also provides definitions for companies as well as laying out “Transitional Periods” of 180 days to two years for companies to comply with different parts of the conditions and parameters of the regulations.

Entities must create and maintain written policies, requiring board-level or equal approval, setting out the company’s cybersecurity plan. Companies also must designate a chief information security officer (CISO), either in-house or third-party, who will be required to report annually to the company’s board. The rules call for stress testing of systems and periodic risk assessment and for the inclusion of third party service providers in a company’s cybersecurity plan.

The regulations will be published in the New York State register on March 1 and lay out the Department’s logic in establishing the new standards. According to the document:

“The New York State Department of Financial Services (DFS) has been closely monitoring the ever-growing threat posed to information and financial systems… Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances… It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs.”

New York’s regulatory framework is the first of its type in the nation, according to a release from the Governor’s office.

“New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever-increasing threat of cyber-attacks,” Governor Andrew M. Cuomo said in the statement. “These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes.”

Under development since 2014, proposed new regulations were first published in September 2016, followed by a 45-day comment period. Updated proposed regulations were then published in December 2016, followed by a 30-day period for comments. Then in December, N.Y. state delayed implementing the rules and subsequently adjusted some requirements to reflect input from the industry, which asserted the rules were burdensome and said they would need more time to comply.

In addition to these accommodations, DFS took measures not to burden smaller businesses by establishing limited exemptions for companies with fewer than 10 employees, less than $5 million in gross annual revenue in each of the last three fiscal years from New York business operations, or less than $10 million in year-end assets.

According to the statement from the Governor’s office, the new regulations mandate:

• Controls relating to the governance framework for a robust cybersecurity program including requirements for a program that is adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization

• Risk-based minimum standards for technology systems including access controls, data protection that includes encryption, and penetration testing

• Required minimum standards to help address any cyber breaches including an incident response plan, preservation of data to respond to such breaches, and notice to DFS of material events

• Accountability by requiring identification and documentation of material deficiencies, remediation plans and annual certifications of regulatory compliance to DFS

While cybersecurity has become an outsized concern for many business as high-profile breaches have played out in the media, sometime drawing in millions of consumers and costing companies millions of dollars in addition to precious reputational damage, many businesses remain under—or unprepared—for the challenges posed by cyber threats.

Indeed, The Hiscox Cyber Readiness Report 2017 surveyed managers and IT specialists at 3,000 small to large companies in the U.S., U.K. and Germany and found that just over half, 53%, of businesses are ill-prepared to deal with cyber-attacks. The study ranked companies from novice to expert in four key areas: strategy, resourcing, technology and process. Only 30% qualified as “expert” in their overall cyber readiness, of which 49% were U.S.-based companies.

Greenberg, New York State Settle Long-Running Civil Case

One of Wall Street’s longest-running dramas closed Feb. 10 as New York State and Maurice “Hank” Greenberg finally ended a legal clash which began in 2005 under the stewardship of then Attorney General Elliot Spitzer.

Former American International Group, Inc. CEO Greenberg and the Attorney General’s office reached a settlement over accusations that the company engaged in fraudulent transactions to boost reserves and hide losses.

Greenberg, who was chairman and CEO of AIG from 1967 until his ouster in 2005 and now serves as chairman and CEO of C.V. Starr & Co., will pay some $9 million to end his role in the saga. Also, Howard Smith, former AIG CFO and Greenberg’s lieutenant will pay $900,000 to settle the charges stemming from two alleged transactions designed to misrepresent company finances.

This included a $500 million deal in the year 2000 with reinsurer General Re, part of businessman Warren Buffet’s Berkshire Hathaway Inc., to pad AIG’s loss reserves. Greenberg allegedly initiated the Gen Re deal with a call to the company’s CEO.

The two former AIG leaders were also said to be involved in a deal with Capco Reinsurance Co., which masked a $210 million underwriting loss as an investment loss.

The sums paid by the men are related to performance bonuses earned from 2001 to 2004, according to New York Attorney General Eric Schneiderman, who inherited the long-running conflict. Schneiderman sought to ban the men from the securities industry and from serving as directors and officers of public companies as part of the settlement, which ultimately did not include these provisions.

Schneiderman had previously dropped a $6 billion damage claim against Greenberg and others, once a class action settlement was approved in 2013 under which Greenberg paid $115 million to AIG shareholders.

A 2009 settlement with the U.S. Securities and Exchange Commission over charges related to AIG‘s accounting saw Greenberg pay $15 million and Smith $1.5 million to the agency.

Late last year Greenberg and the Attorney General’s office turned to mediation after trial testimony had already begun in state court. The mediation, which ultimately produced the settlement, was run by alternative dispute resolution specialist Kenneth Feinberg.

The finale to the case was perhaps more of a whimper than a bang, with settlements hardly headline-grabbing and no one admitting to much more than accounting slips.

In a press release from the N.Y. State Attorney General’s Office, Schneiderman sounded a triumphant tone. “Today’s agreement settles the indisputable fact that Mr. Greenberg has denied for 12 years: that Mr. Greenberg orchestrated two transactions that fundamentally misrepresented AIG’s finances,” Schneiderman said in the statement. “After over a decade of delays, deflections, and denials by Mr. Greenberg, we are pleased that Mr. Greenberg has finally admitted to his role in these fraudulent transactions and will personally pay $9 million to the State of New York.”

Greenberg, who was unapologetic, in his statement said, “The Gen Re transaction was done for the purpose of increasing AIG’s loss reserves, and the Capco transaction was done for the purpose of converting underwriting losses into investment losses. I knew these facts at the time that I initiated, participated in and approved these two transactions…As a result of these transactions, AIG’s publicly-filed consolidated financial statements inaccurately portrayed the accounting, and thus the financial condition and performance for AIG’s loss reserves and underwriting income.”

The pundits had their say as well, split as to what it all meant.

“The taxpayers of New York State should be furious,” said the Wall Street Journal’s Paul Gigot, editorial page editor. “The $9 million fine amounts to pin money for Mr. Greenberg…It won’t come close to covering the state’s costs for pursuing the case over so many years…The real lessons of the Greenberg case start with the absurd lengths that progressive prosecutors will go to punish capitalists they don’t like,” Gigot said.

Mr. Greenberg’s lawyer David Bois called the deal with the Attorney General a “nuisance settlement,” according to the New York Times.

Others were less forgiving of Mr. Greenberg. “Just because he hasn’t pled guilty to fraud doesn’t mean he’s been vindicated,” David Schiff, a former insurance analyst who followed AIG, told the Times.

ILS Roars into 2017 as Maturities Loom

Alternative capital markets continue to see robust activity and at least one major carrier is bullish for the future of insurance-linked securities (ILS), even as the added capacity continues to pressure rates overall.

The insurance-linked securities market saw $5.9 billion of issuance in 2016 and is off to a strong start in the first quarter of 2017 with more than $500 million of new issues already on the books for January, according to a new report from Swiss Re, which sees continued potential upside.

“Market conditions are extremely favorable at the moment and pipelines appear to be swelling, therefore it would not be entirely surprising to see the market challenge record issuance,” the company said in its new report, Insurance Linked Securities Market Update, Volume XXVI, February 2017.

The report also notes that the first half of 2017 will see the largest-ever amount of maturities for a half-year as some $6.4 billion in bonds mature, which could have the effect  of reducing the overall total market outstanding depending on how robust issuance continues to be during the first half of 2017.

“To put it in perspective, the approximately $6.4 billion of bonds set to mature in first half 2017 is larger than all but the four largest historical full-year issuances,” Swiss Re said in its report.

2016 was an unusual year for the ILS market in that the patterns of issuance by quarter differed from most years, according to the report.

“New issuance volumes were atypical,” said the report, with third quarter issuance larger for the first time than that of the second quarter, usually the busiest quarter for new issuance due to the U.S. wind season.

Further, fourth quarter issuance was the largest of the four quarterly totals. Total bonds outstanding remained at just around the record level of $24.1 billion, due largely to the outsized fourth-quarter levels of new issues.

In yet another market anomaly, the 20 new transactions in 2016 was the lowest number of new deals brought to market since 2009.

The average size of those deals, however, at approximately $300 million, was second only to 2014, which included the largest-ever catastrophe bond, the mammoth $1.5 billion Everglades Re from Citizens Property Insurance Corporation (Florida Citizens). The 2016 average deal size of $300 million was also 20% larger than that in 2015, according to Swiss Re.

U.S. wind and earthquake were as usual the most frequently secured perils, but they were joined by a slate of newer and diversifying perils including Canada earthquake, Europe windstorm, Japan typhoon and earthquake, Australia cyclone and earthquake, extreme morbidity, and for the first time since 2005, motor third party liability, according to the report.

The 2016 insurance-linked securities market also differed from other recent examples as it was momentarily roiled by the first Category 5 hurricane since Dean and Felix in 2007.

As Hurricane Matthew roared towards the Florida coast during the first days of October, it touched secondary trading, particularly among those bonds “focused in the state of Florida, especially Blue Halo, Laetere, First Coast and Everglades,” said the Swiss Re report.

“As we have observed in the past during hurricane events, notably during Hurricane Odile and Hurricane Patricia in 2014 and 2015 respectively, the ILS secondary market quickly responded to the threat of Hurricane Matthew in October,” according to the report. “Following the formation of the hurricane, bonds with large wind exposure in Florida and the Gulf traded at a significant discount as the hurricane approached the Florida coast.”

Trading quickly returned to normal, however, as Matthew eventually made landfall on Oct. 8 southeast of McClellanville, South Carolina, as a Category 1 hurricane with 75 mph winds.

Total alternative capital levels in the sector are now pegged at some $78 billion.