Will concerns expand into
other matters of the regulation of insurance?
As the practice of the business of insurance moves
to tangled webs of TPSPs, affirmative and effective insurance regulation will become more difficult.
By Kevin P. Hennosy
If my understanding of calendars has not failed me, this will be the first appearance of this column in the year 2026. Happy New Year!
In the process of writing this month’s column, this intrepid commentator ensconced himself in a local coffeehouse. One could say, channeling Lloyd’s of London?
A young woman who works for the coffeehouse stopped, and asked, “What are you working on?” I told her I was writing a column for an insurance magazine. Her gaze turned sullen, to which I responded: “Oh, it gets worse, I write about ‘insurance regulation.’” To which she retorted, “I don’t even know what that means.”
Immediately I gave her the contact information for the National Association of Insurance Commissioners’ (NAIC) Personnel Department. She shows the specific kind of promise that the “Gray Lady of Insurance Regulation” selects for.
Yes, if anyone wondered, Santa did not leave a positive attitude under the tree at the Hennosy House.
So onward into the new year.
Empire State
On October 21, 2025, the New York State Depart- ment of Financial Services (DFS) announced: “Acting Superintendent Kaitlin Asrow … issued new cybersecurity guidance addressing the risks associated with entities becoming increasingly reliant on third-party service providers (TPSPs).”
The acting superintendent continued, “To ensure the safe and secure operation of financial services and the protection of nonpublic information, entities must establish and maintain appropriate internal risk management controls when using [TPSPs].”
Concurrently with that announcement, the DFS issued an Industry Letter (The Letter), which discussed details of the acting superintendent’s decision. That decision represents an attempt to provide consumer data protection for an increasingly complex web of business relationships.
To reiterate, the DFS guidance to the financial services sector addresses cyber risk to nonpublic data and other information gathered by insurers and other actors in financial services. Also, the DFS news release states: “This guidance does not impose new requirements or obligations on DFS-regulated entities. Rather, the guidance is intended to clarify regulatory requirements under DFS’s cybersecurity regulation and share best practices that entities should consider implementing.”
However, the concerns that shaped this guidance could expand into other matters of regulation of the business of insurance. We will discuss that later.
The Letter applies to “covered entities’ of the DFS, which ranges well beyond “the friendly confines” of insurance regulation. The Letter explains the DFS’s reach, as follows: “[A]ny person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law, regardless of whether the covered entity is also regulated by other government agencies.”
The DFS asserts “covered entities’ exposure to threats will continue to grow as their reliance on technologies managed by TPSPs—such as cloud computing, file transfer systems, artificial intelligence, and fintech solutions—increases.”
In addition to the volume of TPSPs’ usage, the DFS expressed another concern: “The growing scale and complexity of cyber risks posed by TPSPs demands a proactive, risk-based, and continuously adaptive approach to third-party governance.”
Acting Superintendent Asrow said, “While third-party service providers have driven innovation and enabled significant efficiencies in our financial system, regulated entities are still ultimately accountable for protecting consumers and managing risk.”
The Letter explains that through examinations and investigations, “DFS has identified areas where covered entities should strengthen their TPSP programs, including how they monitor, assess, and manage TPSP cybersecurity risk.”
In response to those findings from the market conduct-related activity, the DFS “has identified the need for more robust due diligence, contractual provisions, monitoring and oversight, and TPSP risk management policies and procedures.”
“Moreover, DFS has observed a trend in which some covered entities outsource critical cybersecurity compliance obligations to TPSPs without ensuring appropriate oversight and verification by senior governing bodies or senior officers,” wrote the Empire State financial regulators.
The Letter continues with an advisory, which could sound menacing if the reader is in the right mood: “As noted in previous guidance, covered entities may not delegate responsibility for compliance with the cybersecurity regulation to an affiliate or a TPSP.”
Tangled webs
Now for the next few paragraphs, this column will drift into a genre that journalists used to call a “think piece.” The genre is fraught with danger, and I doubt there is a journalism school in the world that includes think pieces on their syllabus. Even the “Dr.” of Gonzo Journalism, Hunter S. Thompson, described think pieces as work products of “rare and ill-advised occasions.”
That said, my degrees were awarded in political science, and not journalism, so a think piece follows.
Sir Walter Scott could not have known when he penned the phrase “Oh what a tangled web we weave” how meaningful it would be in the year 2026. In 1808, Scott used the phrase to describe when people “practice to deceive.”
Putting deception aside, Scott could have been talking about conducting business operations “on the cheap.” Today, the tangled web equates with the term “organization chart.” The DFS is trying to address a tangled web that well-regulated spiders should never have been allowed to spin.
To reiterate, the DFS statement and The Letter concern only cyber risks; however, it makes one think about what this tangled web of TPSPs means to the McCarran-Ferguson Act, which empowers and requires the states to regulate the business of insurance.
One of the most authoritative Supreme Court rulings on the McCarran-Ferguson Act is Securities and Exchange Commission (SEC) v. National Securities, Inc., 393 U.S. 453 (1969). In that case, the court “spanked” an Arizona insurance commissioner for acting in the interests of “shareholders,” an action that the court ruled was reserved for the SEC.
To illustrate the regulatory overreach, the opinion describes just what Congress intended when it passed the McCarran-Ferguson Act and delegated limited and contingent authority over the business of insurance to the states.
The opinion notes: “The statute did not purport to make the States supreme in regulating all the activities of insurance companies; its language refers not to the persons or companies who are subject to state regulation, but to laws ‘regulating the business of insurance.’”
But if not insurance companies, insurance executives, or insurance agents, what did Congress intend when using the term “business of insurance”?
Writing for the Court Majority, Associate Justice Thurgood Marshall gave us the answer: “The relationship between insurer and insured, the type of policy which could be issued, its reliability, interpretation, and enforcement— these were the core of the ‘business of insurance.’ Undoubtedly, other activities of insurance companies relate so closely to their status as reliable insurers that they too must be placed in the same class.”
From a layperson’s interpretation of the court’s ruling, if the rare vertebrate insurance regulator sought to regulate the business of insurance, their jurisdiction does not end at the door of the TPSPs.
If the TPSP is providing services involving a “type of policy which could be issued, its reliability, interpretation, and enforcement,” then that service provider is reasonably understood as engaged in the “business of insurance.”
Regulating a relationship between insurer and insured is the charge of the insurance and regulator, no matter where that relationship goes. In the first decade of this century, New York’s insurance regulators did not show the grit or gumption to regulate the relationship between bond issuers and the purveyors of their insurance products, American International Group, which led directly to the near collapse of that behemoth company.
As the practice of the business of insurance moves to tangled webs of TPSPs, affirmative and effective insurance regulation will become more difficult. It appears that the authority exists to do the job. The question is whether state insurance regulators have the backbone, grit, and gumption to live up to the limited and contingent authority lent to them by Congress.
So, take that Dr. Hunter S. Thompson.
The author
Kevin P. Hennosy is an insurance writer who specializes in the history and politics of insurance regulation. He began his insurance career in the regulatory compliance office of Nationwide and then served as public affairs manager for the National Association of Insurance Commissioners (NAIC). Since leaving the NAIC staff, he has written extensively on insurance regulation and testified before the NAIC as a consumer advocate.
