NYDFS cyber security - agents

Agent FAQs for NYDFS/CCPA Data Protection Addendum (“DPA”)
We hope that these FAQs provide the information agents need to understand the new legal obligations for our relationships and the purpose for the DPA. If you have further questions, we invite you to email our dedicated mailbox for this DPA process at nydfsaddendum@transamerica.com. Our staff makes every effort to respond to inquiries in five business days.
Why are you sending this addendum?
The Data Protection Addendum (DPA) amends our contracts with our third party service providers, including agents, to include new privacy and cybersecurity requirements. The new requirements stated in the DPA focus on compliance with California Consumer Protection Act (CCPA) and New York Department of Financial Services (NYDFS) Cybersecurity regulations, as well as some other forthcoming laws. The addendum sets expectations for how sensitive Transamerica consumer and business information is processed and protected as required under those laws.
Why am I considered a “service provider” under the NYDFS Cybersecurity Rule?
The benchmark for the definition of a “service provider” is (1) whether the third party performs services on behalf of Transamerica, and (2) whether the third party has access to non-public information (customer data). The agent relationship meets that regulatory definition.
What if I don’t have Transamerica data or non-public information in my possession?
Even if you don’t currently have non-public information in your possession, agents still meet the definition of a “service provider”, because they have access to that information.
What if I don’t have any New York clients or customers?
As discussed above, the regulatory definition of “service provider” relates to the services provided by our agents and their access to information. Whether an agent currently has customers in New York is not a factor. By way of illustration, an agent who has no customers in New York today under the current selling agreement with Transamerica may write new business for New York customers next week. But at all times, the agent would have access to customer information while performing services on behalf of Transamerica.
What if I have questions or concerns about the technical requirements stated in the addendum?
Transamerica’s Information Security Office establishes cybersecurity standards and requirements for access to Transamerica systems and information. Those requirements are based on industry standards and best practices, and meet applicable legal requirements. In most instances, the requirements in the addendum are established information security standards common in the financial services industry. The requirements in the DPA are a necessary component of our relationship with our agents who have access to our systems and information. For concerns or questions about those requirements, please contact the Information Security Office at shlpthirdpartyreview@Transamerica.com.
Where can I find the “Requirements” described in the addendum?
Transamerica’s Information Security Office establishes and updates security requirements based on industry developments and regulatory changes. For more information about the requirements and standards applicable to Transamerica’s systems and information, please contact the Information Security Office at shlpthirdpartyreview@Transamerica.com.
Where can I learn more about the NYDFS Cybersecurity Rule?
For additional information about the New York Department of Financial Services Cybersecurity Rule, please visit the state agency’s website at https://www.dfs.ny.gov/industry_guidance/cybersecurity#cybersecurity-faqs.
What does the “monitoring” process look like?
Generally, Transamerica establishes the security requirements for access to systems and information and evaluates third-party service providers to ensure they maintain compliance with those requirements and controls stated in the DPA. We also review our own cybersecurity controls based on changes in the industry and updates to regulatory obligations.
What if I don’t agree to the addendum?
Transamerica’s agent and selling agreements include provisions permitting the company to change those agreements, as necessary, to comply with legal requirements (like the NYDFS and CCPA laws), as well as to update the standards and obligations of agents performing services on behalf of Transamerica. This addendum is made effective immediately as part of that update process and is applicable to all agents with relationships through those agreements without a requirement for countersignature.