Entities that the New York State Department of Financial Services (DFS) will soon complete the compliance filings that the financial services cybersecurity regulation requires. This year they will notice a change.
The DFS regulates entities in the banking, financial services, and insurance sectors. These entities must submit a statement by April 15 each year about the state of their compliance with the regulation's requirements. Before this year, they had to submit a statement that they were complying with them during the prior calendar year.
An amendment to the regulation that took effect last November 1 expanded that requirement. Entities will have to complete and submit one of two forms:
Your agency will complete and submit the first one if it “materially complied" with the regulation's requirements during the prior calendar year. The agency must base this on records that support the conclusion.
The agency must submit the second one If it did not meet the requirements in one or more sections of the regulation that apply to it. The person completing this form must:
- Acknowledge that the agency did not “materially comply" with all the regulation's requirements during the prior year.
- Identify the sections the agency did not comply with.
- Describe what the agency failed to do and how big the failure was.
- Either affirm that the agency has since met the requirements or provide a timeline for eventual compliance.
The agency's highest-ranking executive and its chief information security officer (CISO) must sign whichever form the agency submits. If the agency does not have a CISO, the senior officer responsible for the agency's cybersecurity program must sign it instead. Most Big I New York members do not have a CISO. If the highest-ranking executive and the person responsible for cybersecurity are the same person, that person must sign it in both spaces.
Your agency must retain the documents supporting its filing for five years.
If you are one of the 92% of Big I New York members who qualify for the limited exemption, you must certify compliance or acknowledge noncompliance only with those sections of the regulation that apply to you.
Two things that have not changed:
- Your licensed employees who your agency's cybersecurity program covers do not have to submit either of these forms. They should have submitted a Notice of Exemption and given Section 500.19(b) as the reason.
- The regulation does not require the agency or its licensed employees to submit the Notice of Exemption again unless something has changed. An employee who changed employers or their name must submit a new one. So does an agency that grew too large to qualify under one of the three criteria for the limited exemption. If none of that is the case, the regulation does not require a Notice of Exemption every year. We have spoken with members who have done this unnecessary work.
More information is always available at:
With the New York State Department of Financial Services' (DFS) recent adoption of the second amendment to the Cybersecurity Requirements For Financial Services Companies regulation, members have naturally been contacting us to ask what they're required to do. The overwhelming majority of Big I NY members qualify for the limited exemption. If you're agency is one of them, here are the sections of the regulation you must comply with regardless of your agency's size:
- Section 500.2, Cybersecurity Program - you must have a program in place to protect your computer network and any nonpublic information (NPI) stored on it. The program is made up of the devices you use, the protective devices and software you have in place, and the policies and procedures the users of your network follow.
- Section 500.3, Cybersecurity Policy - you must have written policies and procedures for protecting your computer systems and the NPI stored on them.
- Section 500.7, Access Privileges and Management - to the extent it's feasible for your agency, your cybersecurity policy must set limits on the parts of your system and NPI different users can access. It also must set limits on system administrator accounts and set procedures for regular management of all users' access.
- Section 500.9, Risk Assessment - at least annually, you must perform an assessment of your cybersecurity risks, identify system vulnerabilities, and develop a plan to address them.
- Section 500.11, Third-Party Service Provider Security Policy - your cybersecurity policy must include policies and procedures for ensuring the security of your systems and NPI that are accessible to, or held by, third-party service providers.
- Section 500.12, Multi-Factor Authentication - by November 1, 2024, your agency will have to implement authentication through verification of at least two types of factors such as passwords, tokens, and face scans.
- Section 500.13, Asset Management and Data Retention Requirements - your agency's cybersecurity policy must include policies and procedures for periodically and securely disposing of NPI you no longer need. By November 1, 2025, you will also have to maintain a written inventory of all your computer systems' devices, including who has them and where.
- Section 500.14, Monitoring and Training - by November 1, 2024, you must provide regular cybersecurity awareness training to the users of your computer systems.
- Section 500.17, Notices to Superintendent - you must notify DFS within 72 hours of determining that certain types of cybersecurity incidents have occurred. Also, between January 1 and April 15 each year, you must submit to DFS either a certification that your agency was in material compliance with the regulation the prior calendar year or an acknowledgement that you were not in material compliance with one or more sections. If it's that second one, you must report what you are doing about it.
For more information, visit:
More resources will be available soon. Watch our bi-weekly newsletters and this website for announcements.
For more than a year, the New York State Department of Financial Services (NYSDFS) has been working on amendments to the state’s cybersecurity regulation. On Wednesday, those changes were made final. Throughout the amendment process, Big I NY advocated strongly for many changes that will benefit independent insurance agencies and their customers, including an expanded limited exemption and total exemption for inactive licensees. We also urged the department to eliminate the requirement that agents and carriers "cross police" each other as third party service providers, and eliminate the annual certifiaction of compliance requirement, however these suggestions were not adopted.
What it Means For You:
Expanded Limited Exemption: A welcome change is the expanded criteria for who qualifies for a “limited exemption.” The limited exemption exempts small and mid sized entities from the most burdensome (but not all) requirements. An estimated 93% of Big I NY members will now qualify under the new criteria:
- Fewer than 20 employees (previously 10) or;
- Less than $7.5 million in gross annual revenue over the last 3 fiscal years (previously $5 million); or
- Less than $15 million in year end assets (previously $10 million)
Exemption for Inactive Licensees: Licensees who have no carrier appointments will now be completely exepmt from the regulation.
Changes to Certification of Compliance: The compliance filing that you must submit every year by April 15 will now require you to identify requirements under the regulation where your agency was not in material compliance the year before. You will also have to explain whether you have achieved compliance and, if not, what you plan to do about it.
The filing will also require two signatures - one from the agency's senior officer, the other from the officer or manager in charge of cybersecurity. Big I NY repeatedly opposed these changes. We plan to ask NYSDFS for clarification on how agencies should handle that requirement when both roles are filled by the same person.
Multi Factor Authentication and Cyber Training: Beginning November 1st, 2025, all licenced entities (limited-exempt or not) must use multi-factor authentication for access to their information systems. Beginning April 29th, 2024, all entities must provide their employees with cyberseucrity awareness and social engineering training.
Big I NY Has Your Back:
We plan to provide videos and other media to further explain the changes. Also, watch for your chance to register for a special Gear Up presentation on the amendments later this month.
Don't forget that you can access our cybersecurity-related information at anytime by visiting www.biginy.org/cyber and by checking the Cyber category in our Newsfeed.
Some of you may need individual help with the changes, and we're prepared to aid you with that as well. We are expanding our technical consulting service to include cybersecurity regulation compliance assistance. For an affordable hourly fee, you can get the individual attention you need to meet your obligations under the regulation.
Any change in laws or regulations that effect your business will be confusing and stressful, but we are hear to make it as easy for you as possible. Check back here often as we add new content to help you with compliance.
The NYS Department of Financial Services this morning
formally adopted changes to the cybersecurity regulation. This is something we have been anticipating for nearly 18 months. At the same time, it appears they may have emailed every licensed person for whom they have an email address to announce the adoption. You may have received this email.
Here is what you need to know today:
- We are in the process of reviewing the final version of the amendments. This is the third version of the amendments DFS has published, and it is not identical to what they proposed earlier.
- Both previous versions stated that the earliest date compliance will be required is 30 days from today (December 1,) and that deadline only applies to reporting certain types of security breach incidents. Compliance with most of the changes will not be required until May 1, 2024, and some will have later compliance dates. No one has to do anything immediately.
- Once we've analyzed the final version, we will provide the information to members in a variety of media, including blog posts, possibly videos, webinars, meetings with local association boards, and any other methods we can think of that might work.
- We have also met with representatives from DFS about coordinating training on the amended requirements. That training will likely occur in early January.
- Visit the Compliance Resources section at
www.biginy.org/cyber and the
Cyber category in the Newsfeed section of our website which can be found by dragging your cursor over the News link in the upper right corner. We have content about the previous two versions in those locations.
- Above all, please know that we're on top of this and there is absolutely no need for you to do anything right now.
We will post additional information here as soon as we have it ready.
Your IT staff is tired of pulling their hair out trying to convince you to use complex passwords!! Why MFA needs to be implemented!
Written by: Kathy Glahn, VP of Operations & Information Systems at Big I New York
Passwords these days need to keep getting longer and more complex. The new standard is to have a password length of at least 13 characters comprised of letters, numbers and special characters. Passwords should never contain personal information, such as your address, phone number, date of birth, wedding/divorce anniversaries (yes, some of us do celebrate divorces!), family names or pet names. They should also never contain information you included on one of those Facebook surveys.... you know the ones.... What is your favorite food, travel destination, etc.
Did you know that passwords are now very easy to crack?
Hive systems has published a chart that indicates that ChatGPT hardware can brute force a 12-character password with numbers, letters, and symbols in 8 months. An 8-character complex password takes less than 1 second to crack. How scary is that?
So how can you create a secure login without needing to implement a 25-character password? Also, don't forget that passwords need to be un!que (see what I did there?), complex, and you should never use the same password on multiple websites. The answer is MFA!
It is important for everyone to implement Multi-Factor Authentication (MFA) for personal and business purposes. MFA requires more than one way to authenticate who you are when logging into software or a website. It is extremely important to implement MFA on any website or software that contains personal information.
MFA needs to be implemented on your agency management system, email, company website, banking sites (personal and business), benefits websites, etc. You can help your employees safeguard your business data and their own personal data by introducing MFA in your agency.
MFA is not hard to implement. Each software is a little different on how to implement, but usually comes down to checking a box indicating that you want to implement MFA. The next step is usually downloading authenticator software on your phone or entering an email address of phone number.
The New York State Department of Financial Services (DFS) today proposed revised changes to its cybersecurity regulation. Today's publication in New York State Register, the state's weekly compilation of regulatory changes, modifies amendments DFS proposed last fall. The revisions proposed today respond to comments Big I New York and others submitted earlier this year on the first proposal.
Most Big I New York members are agencies with eight or fewer employees. Much of the impact of the proposed amendments is on larger organizations such as carriers and banks. However, our preliminary review of today's proposal found some changes that affect all agencies and brokerages.
Last fall's proposal would require all covered entities to implement multi-factor authentication (MFA.) MFA is a technology that helps prevent unauthorized access to computer networks. Many cyber insurance companies require their insureds to implement it. The revised proposal limits the impact on agencies eligible for the limited exemption. These smaller companies will have to use MFA for:
- Remote access to the company's network (such as when staff log in offsite.)
- Remote access to third party software applications from which individuals can access non-public information.
- All system administrator accounts.
The first proposal expanded the annual Certification of Compliance requirement. It would have forced all entities to disclose areas of the regulation where they were not in compliance. Big I New York objected, saying, “Requiring covered entities to document noncompliance and identify specific areas of vulnerability will put NYSDFS in possession of a list of prime targets for cyberattack or extortion, which bad actors will seek to access and exploit." DFS agreed and has dropped the requirement. Instead, entities will have to produce reports upon request.
Last fall's proposal deleted wording from the Third-Party Service Provider (TPSP) section that an “agent, employee, representative or designee" of a covered entity who follows its TPSP security policy need not create its own. Some observers worried that removing it imposed new duties on individuals. DFS confirmed that they removed it because the section on Exemptions has similar wording.
We requested longer transition periods for some new requirements. DFS rejected most of these suggestions but did lengthen the transition period for implementing MFA. That period will be two years from the amendments' effective date, whenever that may be.
DFS rejected other Big I New York's suggestions, including:
- Making entities eligible for the limited exemption if they have less than $10 million in New York gross revenue instead of the current $5 million.
- When determining whether an entity has less than 20 employees (and thus qualifies for the limited exemption,) including only independent contractors who are in the insurance business.
- Clarifying the MFA section to state that entities that do not have a chief information security officer (CISO) may use more secure alternatives to MFA.
- Removing “image and reputation" and “other organizations" from the list of risks entities must identify when they perform their risk assessments.
- Requiring entities to perform risk assessments annually only if their cyber risks have materially changed.
- Under the TPSP security policy section, exempting agencies from having to perform due diligence on carriers and other covered entities, and vice versa.
- Limiting punishable acts only to intentional failures to comply and lengthening the minimum violation period to 72 hours.
DFS has not adopted the proposed amendments yet. Members of the public may submit comments until August 14 by emailing Joanne Berman of DFS. We encourage all of you to review the proposal and the assessment of public comments (see the links below) and submit appropriate comments on the new proposal.
Big I New York will continue to keep you informed on developments regarding this important regulation.
For more information, see:
The deadline for submitting the annual certification of compliance with New York's cybersecurity regulation for financial services companies is this Saturday, April 15. If you haven't submitted the certification for your agency yet, you must do so by the end of the day Saturday.
The certification is one of the requirements in the New York State Department of Financial Services (DFS) regulation Cybersecurity Requirements For Financial Services Companies, which is Part 500 of Title 23 of the New York Codes, Rules and Regulations (23 NYCRR 500.) Subsection (b) of Section 500.17 states:
"Annually each covered entity shall submit to the superintendent a written statement covering the prior calendar year. This statement shall be submitted by April 15th ... certifying that the covered entity is in compliance with the requirements set forth in this Part."
You can submit the certification by visiting the DFS cybersecurity portal, logging in, clicking the link displayed under "Cyber Security Notice" on the next screen, clicking the COMPLIANCE button on the screen after that and following the prompts. Step-by-step instructions are available here.
Your licensed employees who are covered by your agency's cybersecurity program are not required to submit this certification. More information about what is required is available in our blog post of January 13, 2023.
DFS intends to make several changes to the regulation this year. To learn about them, check out:
One question we frequently get from members is whether a specific type of information is "nonpublic information" that the New York cybersecurity regulation requires them to protect. We've created an easy-to-use decision tree to help you figure that out. Simply answer the yes-no questions in order and you will be able to determine whether the regulation requires you to protect it or not.
This file will be permanently posted in the Compliance Resources section of the Cybersecurity page on our website (www.biginy.org/cyber). Click here to download it now. Note: If you want to print it, you may have to adjust the print settings to shrink the file to 95% or so.
We are knee-deep in 2023. This is the time of year when Big I NY gets a lot of questions from members about what they have to do to comply with the Cybersecurity Requirements For Financial Services Companies regulation. Though the New York State Department of Financial Services (DFS) has proposed a number of changes to that regulation, none of them are in effect yet. Therefore, your obligations are the same this year as they were last year.
Here are answers to the questions we get most frequently:
- The agency must complete and submit the online Certification of Compliance to the DFS between now and April 15.
- Agencies that fail to submit the Certification of Compliance by April 15 may be subject to fines by the DFS.
- Licensed agency employees who are covered by the agency's cybersecurity program (which is likely all of them) are not required to submit a Certification of Compliance.
- Instructions on how to complete the Certification of Compliance are available on our website and also on the DFS website.
- This is the sixth year that agencies have been required to submit the certification, so Big I New York will not provide phone assistance with completing it this year.
- The agency is not required to re-submit the Notice of Exemption unless it has grown too large to qualify for the limited exemption.
- Licensed agency employees are not required to re-submit the Notice of Exemption unless they have changed employers or names.
- DFS does not offer a way for the public to determine the exemption a specific licensed individual submitted.
Members can obtain our resources on how to comply with the regulation at any time at www.biginy.org/cyber. To learn about the changes that may be coming to the regulation, check out:
You may have received an email message from DFS announcing the proposed changes. That message informed recipients that they may provide comments to the department between now and Jan. 9, 2023.
The 20-page proposal
closely resembles a pre-proposal draft
DFS published last July. Big I New York provided comments
to the department in response, and DFS appears to have taken some of our comments into consideration as they wrote the formal proposed amendments.
Many of the amendments are targeted toward larger “covered entities” (the regulation’s term for any person or organization licensed under the state’s banking, financial services or insurance laws,) such as insurance carriers and banks. However, some changes will apply to smaller agencies and brokerages as well:
- More agencies and brokerages will qualify for exemption from parts of the regulation. Entities will have a limited exemption if they have fewer than 20 employees including independent contractors (up from 10,) less than $5 million in New York revenue (unchanged,) or less than $15 million in gross assets (up from $10 million.) The entity qualifies if any one or more of these is true.
- Inactive individual agents and brokers will be exempt from the regulation.
- All agencies and brokerages of any size will be required to implement multi-factor authentication (MFA) for system administrators and users who access the computer network or third party applications remotely.
- The agency’s board of directors, if it has one, or its senior officer in charge of cybersecurity (probably the agency principal) will be required to approve its cybersecurity policies and procedures annually.
- Those policies and procedures will have to address remote access if the agency has remote or hybrid employees. They will also have to include a policy for network passwords that meet industry standards.
- New restrictions will apply to the granting of system administrator access privileges.
- The mandatory risk assessments will have to be done annually, rather than “periodically.
- All agencies and brokerages of any size will be required to maintain a written inventory of technology assets such as laptops, mobile phones and tablets.
- All agencies and brokerages of any size will be required to report any hacks of a system administrator’s account, ransomware attacks, and if they make any extortion payments.
- When submitting the annual certification of compliance, entities will be required to report any areas of the regulation with which they are not in compliance. They will have to report their plans for achieving compliance.
- Failure to comply with the regulation for any 24-hour period will be considered a violation, subjecting the agency to potential disciplinary action. DFS will determine the amount and extent of penalties based on 15 factors listed in the proposal.
If adopted, the amendments will take effect on the date of adoption, which will likely be sometime in the first quarter of 2023. You will have 30 days from that date to prepare to comply with the additional cybersecurity event reporting requirements; one year to comply with the MFA requirement; 18 months to comply with a new requirement that MFA apply to administrator accounts and all remote access; and two years to implement the asset inventory requirement. The compliance deadline for all other changes will be 180 days after the effective date.
For example, if DFS publishes a formal notice of adoption on March 1, 2023, you will have until approximately September 1 to implement most changes. You would have to implement the notice requirements by March 31; MFA by March 1, 2024; and the asset inventory requirement by March 1, 2025.
As required by law, DFS will accept comments from interested members of the public until 5:00 pm, Monday, January 9, 2023. If you wish to submit comments, direct them to:
New York State Department of Financial Services
One State Street
New York, NY 10004
Big I New York intends to submit comments. We will post future updates on this website.