NY CYBER REG: WHAT YOUR AGENCY MUST DO
As has been the case for the nine years the New York cybersecurity regulation has been in effect, sometime between now and April 15, each agency must log into the NYS Department of Financial Services (DFS) cyber portal and complete and submit one of two forms:
- Certification of Material Compliance (if the agency was in material compliance with all sections of the regulation that applied to it in 2024.)
- Acknowledgement of Non-Compliance (if the agency was not in material compliance with all sections that applied to it in 2024.)
Please be aware that neither the agency nor its licensed employees are required to resubmit the Notice of Exemption on the DFS cyber portal unless their circumstances have changed. If nothing has changed, it is unnecessary to complete and submit this form again.
Also, please be aware that an agency’s licensed employees are NOT required to submit a compliance filing if the agency’s cybersecurity program covers them (which it probably does). Unlicensed employees have no filing obligations at all.
In November 2023, DFS adopted amendments to the regulation that implemented a number of changes that were phased in between Nov. 1, 2023 and Nov. 1, 2025. The bulk of these changes impacted larger entities that do not qualify for the limited exemption. More than 90% of Big I New York members were not impacted by those changes. However, there are some requirements that even small agencies had to meet starting in 2024 and 2025. The following items apply to all agencies:
2024 Changes
- Risk assessments must be done annually.
- The agency’s senior officer or its governing body (if it has one) must review and approve the written cybersecurity policies and procedures annually.
- Cybersecurity awareness training, including training on social engineering attacks, must be provided to employees annually.
- Multi-factor authentication (MFA) must be implemented for situations where agency staff access the agency’s computer system remotely (from home, cars, restaurants, etc.)
2025 Changes
- Use of system administrator accounts, if the agency has a systems admin, must be restricted.
- Written policies and procedures for producing and maintaining an asset inventory of the agency’s systems– workstations, mobile devices, phones, printers, etc. must be implemented.
Not sure what requirements your agency must meet? Download this handy checklist.
We also have an FAQ document that answers most, if not all, the questions we receive about the regulation.
If you need help completing the filing, we encourage you to watch the recording of a webinar Tim Dodge presented last April in which he went step-by-step through the process. Dozens of members attended that webinar and completed their filings in real time. The procedure has not changed since then, so it should be a useful aid for you.
DFS has also provided written instructions for both the certification and acknowledgement forms. You may find these useful.
Members who wish to have Big I New York staff members provide one-on-one assistance with the filing may obtain that assistance, but there is an additional charge of $100.
As a reminder, this regulation applies to the entire financial services sector doing business in New York, not just insurance agencies. Also, while New York was the first state to implement these types of requirements for insurance businesses, as of last summer 27 other states and Puerto Rico had enacted similar requirements.
For more information, visit:
Big I NY Cybersecurity Resources
Big I NY Newsfeed – Cyber section
NYS DFS Cybersecurity Resources
For answers you can’t find there, contact Tim Dodge at 800-962-7950 extension 229 or at tdodge@biginy.org.
Topics
