NYDFS cyber security - agents

The Data Protection Addendum (DPA) amends our contracts with our third party service providers, including agents, to include new privacy and cybersecurity requirements. The new requirements stated in the DPA focus on compliance with California Consumer Protection Act (CCPA) and New York Department of Financial Services (NYDFS) Cybersecurity regulations, as well as some other forthcoming laws. The addendum sets expectations for how sensitive Transamerica consumer and business information is processed and protected as required under those laws.

The benchmark for the definition of a “service provider” is (1) whether the third party performs services on behalf of Transamerica, and (2) whether the third party has access to non-public information (customer data). The agent relationship meets that regulatory definition.

Even if you don’t currently have non-public information in your possession, agents still meet the definition of a “service provider”, because they have access to that information.

As discussed above, the regulatory definition of “service provider” relates to the services provided by our agents and their access to information. Whether an agent currently has customers in New York is not a factor. By way of illustration, an agent who has no customers in New York today under the current selling agreement with Transamerica may write new business for New York customers next week. But at all times, the agent would have access to customer information while performing services on behalf of Transamerica.

Transamerica’s Information Security Office establishes cybersecurity standards and requirements for access to Transamerica systems and information. Those requirements are based on industry standards and best practices, and meet applicable legal requirements. In most instances, the requirements in the addendum are established information security standards common in the financial services industry. The requirements in the DPA are a necessary component of our relationship with our agents who have access to our systems and information. For concerns or questions about those requirements, please contact the Information Security Office at shlpthirdpartyreview@Transamerica.com.

Transamerica’s Information Security Office establishes and updates security requirements based on industry developments and regulatory changes. For more information about the requirements and standards applicable to Transamerica’s systems and information, please contact the Information Security Office at shlpthirdpartyreview@Transamerica.com.

For additional information about the New York Department of Financial Services Cybersecurity Rule, please visit the state agency’s website at https://www.dfs.ny.gov/industry_guidance/cybersecurity#cybersecurity-faqs. 

Generally, Transamerica establishes the security requirements for access to systems and information and evaluates third-party service providers to ensure they maintain compliance with those requirements and controls stated in the DPA. We also review our own cybersecurity controls based on changes in the industry and updates to regulatory obligations.

Transamerica’s agent and selling agreements include provisions permitting the company to change those agreements, as necessary, to comply with legal requirements (like the NYDFS and CCPA laws), as well as to update the standards and obligations of agents performing services on behalf of Transamerica. This addendum is made effective immediately as part of that update process and is applicable to all agents with relationships through those agreements without a requirement for countersignature.