Cyber

Category: Cyber

Oct 23

New DFS Cybersecurity Guidance Explained

Timothy Dodge on 10/23/2025 4:20 PM

The New York State Department of Financial Services (DFS) issued new cybersecurity guidance for regulated entities, including insurance agencies, focused on third-party service provider (TPSP) oversight under the state's financial services cybersecurity regulation.

The update doesn't add new requirements but clarifies how agencies may want to manage vendors with access to nonpublic information.

What DFS Section 500.11 Requires

Insurance agencies and other covered entities must maintain written TPSP cybersecurity policies and procedures that address:

Identifying your third-party service providers
Setting minimum cybersecurity standards
Performing due diligence on vendor security
Periodically reassessing each TPSP's controls

These steps are part of the DFS Cybersecurity Regulation, a key compliance framework for New York licensed banking, financial services, and insurance licensed and chartered entities.

What's in the DFS TPSP Guidance Letter

DFS's recent industry letter targets executives and information security officers across the financial sector from insurance carriers to credit unions and virtual currency firms.

It's detailed, technical, and assumes access to full cybersecurity teams. The department notes the letter is not a new rule, but a clarification and best-practice guide.

What's Realistic for Small Insurance Agencies

Not everything in the DFS letter fits small or mid-sized agencies. DFS itself says, “This is not an exhaustive list of contractual provisions … nor is this list viable or appropriate in all situations." For most independent agencies, focus on practical steps like:

Requiring multifactor authentication (MFA)
Enforcing data encryption
Requiring breach notifications from vendors

Do what your agency can afford both in terms of dollars and time.

Action Steps for Agencies

Use the DFS cybersecurity program template (pages 6 & 15), also available at biginy.org/cyber.
Take advantage of Big I New York resources:

Sample TPSP questionnaire in our Cybersecurity Compliance Bundle.
Public cybersecurity reports from carriers
Vendor due diligence checklists

Document your process. Even simple steps show good-faith compliance.

Why It Matters for New York Agencies

Your client and policyholder data is a critical asset. Every third-party vendor, from your agency management system provider to your information technology consultant, can access it. That's what Section 500.11 is designed to protect. And it's not just New York. As of August 2025, 28 other states have similar insurance data security laws.

Key Takeaways

Take TPSP security seriously.
Prioritize safeguards your agency can reasonably afford.
Document your efforts. It shows compliance readiness.
Review vendor cybersecurity practices regularly.

Cybersecurity = loss control. Treat it like any other type of risk mitigation in a way that is consistent, proportional, and affordable.

About the Author

Tim Dodge
Assistant Vice President of Research & Education, Big I New York

Tim Dodge helps independent insurance agencies navigate compliance, regulation, and emerging risks. Big I NY advocates for New York's independent agents and provides education, tools, and resources to help members thrive.

For more cybersecurity guidance, visit www.biginy.org/cyber.

0 Comment(s)

Oct 03

DFS Warns of Cybersecurity Risk from Cisco Devices

Timothy Dodge on 10/3/2025 4:50 PM

The New York State Department of Financial Services (DFS) is warning the entities it regulates about a serious new cybersecurity threat affecting certain Cisco firewall devices. Many companies use them to protect their networks. Attackers are actively exploiting a “zero-day” vulnerability — a flaw that criminals are using before the vendor provides a fix — to break into systems and potentially steal data or disrupt operations.

What’s Happening

Authorities have found Cisco’s ASA (Adaptive Security Appliances) and Firepower devices, which many organizations use as part of their network security, to have critical weaknesses. Hackers are taking advantage of these flaws to:

• Sneak into networks remotely.

• Gain control over systems.

• Install malicious code that stays active even after reboots or upgrades.

Because these attacks are already happening “in the wild,” DFS and the federal Cybersecurity and Infrastructure Security Agency (CISA) are urging businesses to act quickly.

What You Should Do

If your agency or your clients use Cisco equipment — especially ASA firewalls or Firepower security devices — it’s important to act right away:

1. Talk to your IT provider or internal tech team. Ask them to check if your business uses any of the affected Cisco products.

2. Look for signs of compromise. Your IT team may need to run special checks to see if attackers have already targeted your network.

3. Install updates as soon as they’re available. Cisco is working on patches to fix the issue. If a device is past its support date, replace it.

4. Document your steps. Keep a record of what actions you’ve taken and any risks you’ve identified.

If your agency experiences a cybersecurity incident, the New York financial services cybersecurity regulation may require you to report it.

Why This Matters

Cybercriminals are getting faster and more sophisticated — and they often target vulnerabilities like this before most businesses even know they exist. Staying ahead of threats means responding quickly, patching devices promptly, and working closely with trusted technology partners.

If you work with an IT consulting firm, give them a copy of the DFS letter for details on the nature of the problem. You may also want to contact your cyber insurance clients about the threat and offer to review their coverage with them.

For more information on the cybersecurity regulation and cyber threats, visit:

0 Comment(s)

Aug 07

REMINDER: Cybersecurity Requirements Coming Nov. 1

Timothy Dodge on 8/7/2025 5:15 PM

There's one last deadline coming up for insurance agencies and others subject to New York's cybersecurity requirements for financial services companies regulation, By November 1 of this year, all businesses covered by the regulation must implement policies and procedures to create and maintain inventories of their computerized assets. We have created a Microsoft Excel workbook for members to download and use to meet this requirement.

Also by November 1, all covered entities must implement multi-factor authentication for all remote access to the agency's computer network and third-party applications (such as agency management systems) that can be accessed from a mobile device and that contain non-public information.

We encourage all agencies to begin working on these requirements now, rather than waiting until Halloween. More information is available at www.biginy.org/cyber.

0 Comment(s)

Jun 23

DFS Urges Cyber Precautions Due to World Events

Timothy Dodge on 6/23/2025 4:57 PM

The New York State Department of Financial Services (DFS) today advised all entities it regulates to prepare for increased risks of cyber attacks resulting from recent global conflicts. The industry letter appears to have been prompted by the entry over the weekend of the United States into the conflict between Israel and Iran.

Parts of the letter focused on laws and regulations pertaining to virtual currencies and U.S. sanctions against certain countries. Much of it discussed cybersecurity precautions. “Escalating global conflict significantly elevates cyber risk for the U.S. financial sector, including an increased risk of ransomware attacks and phishing campaigns," the letter said.

The department advised all entities to review their cybersecurity programs to ensure full compliance with the state's financial services cybersecurity requirements regulation. They encouraged emphasis on multi-factor authentication (MFA,) management of system administrator accounts, and disabling or securing software that enables a person to remotely access and control a separate workstation.

Other measures the department recommended that apply to all entities, including insurance agencies that have limited exemptions from the requirements, include:

Assessing their risks in view of the new threat level.
Monitoring and assessing risks posed by third-party service providers.
Testing the ability to fully restore systems from backup copies of data.
Giving all employees additional cybersecurity awareness training and reminding them of the additional hazards resulting from world events.

In addition, even small agencies should have at least an informal plan for recovering from disasters such as fires, hurricanes, power and network outages, and cybersecurity attacks. This might include assignments of specific tasks to individuals, lists of staff personal phone numbers and email addresses, carrier contact information, and so on.

The department also suggested tracking guidance and alerts from government sources such as the Cybersecurity and Infrastructure Security Agency (CISA.) The letter also reminded entities of the requirement to notify DFS of certain cybersecurity incidents and to report them to appropriate law enforcement agencies such as the FBI and CISA.

We live in dangerous times where cyber criminals can shut down an insurance agency's business. If you work with a technology consultant on cybersecurity, now would be a good time to check in for advice on how to protect your agency.

0 Comment(s)

Jun 16

Reporting Cybersecurity Incidents

Timothy Dodge on 6/16/2025 10:02 AM

It is always possible that your agency – or one of the third-party service providers (TPSPs) the agency works with – will be victimized by cyber criminals. If that happens, the New York financial services cybersecurity regulation requires you to notify the state Department of Financial Services (DFS.) While you're attempting to limit and repair the damage, these are some questions that might come up:

What is a “cybersecurity incident"?

The regulation defines that term in two parts. The first is “cybersecurity event," which has a very broad meaning. It is “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an information system or information stored on such information system." Any of these could be a cybersecurity event:

Someone enters the wrong password three times while trying to log into your network and gets locked out.
Someone sends your office a phishing email.
Someone outside your agency calls an employee and asks for their network password.

The DFS is not interested in hearing about most of that stuff. They want to hear about “cybersecurity incidents." These are cybersecurity events that:

Have occurred at your work location, at any company related to your agency by ownership, or at a TPSP. and
Impact your agency and require you to notify a governmental body such as the state police; or
Have a reasonable likelihood of materially harming any material part of your normal operations; or
Result in the deployment of ransomware within a material part of your computer systems.

If it affects you, one of your affiliates, or one of your TPSPs, and it either requires you to notify the authorities, will likely substantially harm any crucial parts of your operations, or results in extortionists shutting you down, you must report it to DFS.

When do we have to report the incident?

“(A)s promptly as possible but in no event later than 72 hours after determining that a cybersecurity incident has occurred at the covered entity, its affiliates, or a third-party service provider." The clock starts ticking when your office has determined that an incident occurred. That could be when your technology people confirm that your systems were hacked, or it could be when a TPSP informs you that it has suffered a breach.

How do we report an incident?

The regulation requires the covered entity to make the report electronically on the DFS portal (https://myportal.dfs.ny.gov/). It's the same portal where your agency makes the annual compliance filings and where agencies and individuals submit exemption filings when appropriate.

How do we fill out the report?

DFS has provided instructions on how to complete it.

What happens after we submit the report?

If DFS decides to investigate the matter, they may contact your office for additional information. Understand that, if the incident occurred to one of your insurance carriers, any agency significantly impacted by the incident is required to report. That means DFS may receive a large volume of notifications. It is possible that they might not contact every agency that notified them.

What happens if we do not report an incident?

The regulation states that any “failure to act to satisfy an obligation" is considered a violation. DFS has authority to penalize violators.

Anything else we should do?

Create the strongest cybersecurity program you can reasonably afford to reduce the odds that you will ever have to make this report. Your time is better spent serving your clients than repairing the damage a cyber-attack can cause.

Where can I get more information?

Three good sources:

0 Comment(s)

Apr 08

New: Cyber Reg FAQ Document

Timothy Dodge on 4/8/2025 2:12 PM

We are happy to announce a new resource to help you comply with New York's financial services cybersecurity regulation - a "frequently asked questions" document.

The seven-page file provides answers to some of the questions Big I New York members ask most often about the regulation, including:

Are licensed employees required to make the annual compliance filings?
How do I get help completing the compliance filing?
Does my agency have to submit the Notice of Exemption every year?
Do agency employees have to submit the Notice of Exemption every year?
If my agency qualifies for the limited exemption, what requirements do we have to meet?

And many more. We encourage you to review it and save a copy for future reference. There is a link to it on the main page of the Cybersecurity section of our website.

When it comes to regulatory compliance, Big I New York has your back.

0 Comment(s)

Apr 07

New Cybersecurity Reg Compliance Tool - Asset Inventory Workbook

Timothy Dodge on 4/7/2025 4:40 PM

As we mentioned last week, the New York financial services cybersecurity regulation requires all covered entities (including all insurance agencies) to create and maintain an inventory of their information system assets. Entities have until Nov. 1, 2025 to comply with this requirement.

We have developed a Microsoft Excel workbook that will help you meet this requirement. For each listed device, it has fields for several pieces of information including those the regulation specifically mentions (owner, location, classification/sensitivity, support expiration date, recovery time objectives.) Where possible, it uses drop-down menus to make selecting an answer easier. It is currently formatted for up to 100 devices. Should we start to get complaints that this is not enough, we'll update it.

The new workbook is available here. You can always find it by:

Logging in at www.biginy.org.
Clicking the Cybersecurity button on the home page.
Clicking the Compliance Resources image.
Clicking on "Step 2: Conduct An Internal Agency Risk Assessment."
Clicking on "Device Inventory."

0 Comment(s)

Apr 04

NY Cybersecurity Regulation: Data Retention & Disposal Requirements

Timothy Dodge on 4/4/2025 3:44 PM

Question from a Big I NY member: "Question regarding data retention. In our agency management system (AMS), we retain files as long as the provider does. Is that acceptable? We do so for protection, ie., say we wrote life insurance and fifteen years later the client dies and the company claims some type of misrepresentation from insured on application. We would want all of the backup notes, signed forms, questionnaires. Is this okay? I could not find on your website anything addressing this besides that we need to keep for the required legal periods, say seven years as a minimum, but what about longer?

Also, say a client leaves us, I do not delete their files in the AMS. They may come back and if so, I do not have to develop all the same information again such as address, date of birth, etc., or maybe a coverage issue arises down the road from pollution liability, etc. Am I under any obligation to wipe a client off the AMS after they are no longer a client after say seven years, or am I allowed to retain?"

Answer: Section 500.13 of the regulation states:

"(b) As part of its cybersecurity program, each covered entity shall include policies and procedures for the secure disposal on a periodic basis of any nonpublic information identified in section 500.1 (k) (2)-(3) of this Part that is no longer necessary for business operations or for other legitimate business purposes of the covered entity, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained."

Section 500.1(k)(2)-(3) states:

"(k) Nonpublic information means all electronic information that is not publicly available information and is: …

(2) any information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements:

(i) social security number;

(ii) drivers' license number or non-driver identification card number;

(iii) account number, credit or debit card number;

(iv) any security code, access code or password that would permit access to an individual's financial account; or

(v) biometric records;

(3) any information or data, except age or gender, in any form or medium created by or derived from a health care provider or an individual and that relates to:

(i) the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual's family;

(ii) the provision of health care to any individual; or

(iii) payment for the provision of health care to any individual."

Section 500.13 requires your agency to have policies and procedures for periodically securely disposing of these types of information that are no longer necessary for the agency's operations or other legitimate business purposes. The determination of when the information is no longer necessary is entirely up to you. It could vary from one agency to another, and even within an agency it might vary depending on the type of information it is. The only exceptions are:

Where another law requires you to retain the information (I can't think of an example offhand.)
Where it's infeasible for you to delete it (for example, some agency management systems leave the agency with no control over data storage.)

As a side note, New York insurance laws and regulations require agencies to retain copies of only three types of documents, and none of them fall under this regulation. They are service fee agreements; premium account records; and producer compensation disclosures, and they must be retained for at least three years. While the law does not require you to retain other types of client records, the E&O attorneys recommend retaining them for at least seven years as a loss control measure because the statute of limitations for suing an agency in New York is six years. See The E&O Report, July 2013: “Because New York law provides that an insured has up to six years from the time when an error or omission occurs in order to commence legal action against an agency or brokerage, we always recommend that every agency or brokerage retain all documents for a period of at least seven years or even longer if possible."

The key thing with this section of the regulation is that you must have written policies and procedures for how long you will retain non-public information and how you will securely dispose of it when you don't want or need it anymore. Those policies and procedures are entirely up to you. The sample cybersecurity program the DFS provides contains this content about the data retention requirements:

"1. Describe how you dispose of nonpublic information when it is no longer necessary for business operations or for other legitimate business purposes:

2.Describe how long nonpublic information is retained, both generally and for any special categories where the general rule does not apply: ...

Examples of secure disposal methods include: shredding paper so nonpublic information cannot be read or reconstructed; destroying or erasing electronic files or media so that non public information cannot be read or reconstructed; and hiring qualified third-party service provider who can provide such secure disposal. More information is available from the U.S. Cybersecurity and Infrastructure Security Agency at https://www.cisa.gov/sites/default/files/publications/DisposeDevicesSafely.pdf.".

Just remember, the longer you retain non-public information, the longer you must protect it.

0 Comment(s)

Apr 01

Enhanced Cybersecurity Requirements Coming May 1

Timothy Dodge on 4/1/2025 4:15 PM

All New York regulated financial services companies, including insurance agencies, must implement additional cybersecurity procedures by May 1. These requirements are part of the 2023 amendments the New York State Department of Financial Services (DFS) made to the state's financial services cybersecurity requirements.

While most Big I New York member agencies have fewer than eight employees and do not have a staff person known as a “system administrator," some may have one who performs some administration functions. A system administrator has special systems access, allowing them to make security-related changes to the systems. These might include turning access on or off for individuals, configuring firewalls to permit data to enter the system, and related functions.

The cybersecurity regulation refers to accounts that grant a person this kind of access as “privileged accounts." If your agency uses privileged accounts for a staff person to make security changes, it must:

Limit the number of them.
Limit the functions someone with a privileged account can perform to only those necessary for performing their job.
Limit when an individual can use a privileged account to only those times when they are performing functions that require this access.

Other requirements that agencies must implement by May 1 include:

Reviewing all user access privileges at least annually.
Removing or disabling all accounts and access that the review shows are no longer necessary.
Disabling or securely configuring all network software that allows someone (such as a system administrator) to remotely control a device (such as an employee's workstation.)
Promptly terminating users' access privileges upon their departure from the agency.
Implementing written password policies that meet current industry standards. This might be a requirement that passwords be twelve or more characters long, contain upper and lower-case letters, at least one number, and at least one special character (such as a question mark.)

Those of you who click the link above to the regulation's text will see a reference to “class A companies." A class A company has at least $20 million in annual revenue and either more than 2,000 employees or more than $1 billion in gross annual revenue. No Big I New York members fit this definition.

Many of you may be informally doing some or all these procedures already. They should become part of your agency's cybersecurity policy, the written document of agency policies and procedures designed to protect your systems and non-public data. Last spring, DFS published a new cybersecurity policy template for the businesses it regulates to use. The template is comprehensive, and we encourage all members to use it as a starting point. You will find the section pertaining to the requirements described above under Section V. Access Privileges and Management starting at the bottom of page 4.

This is the next-to-last deadline for complying with the regulation's amendments. Agencies have until November 1 to create and manage inventories of the components of their information systems (workstations, laptops, phones, etc.) We will provide guidance on how to create the inventory this fall.

For more information:

www.biginy.org/cyber

NY Cybersecurity Regulation: What Your Agency Needs To Do (Jan. 10, 2025)

Another Resource To Help with Cyber Reg Compliance (Feb. 11, 2025)

0 Comment(s)

Feb 11

Another Resource To Help with Cyber Reg Compliance

Timothy Dodge on 2/11/2025 3:30 PM

We are pleased to announce the creation of another new resource to help independent insurance agencies comply with the New York financial services cybersecurity regulation. The new tool helps agencies that qualify for the limited exemption identify the requirements that apply to them. It also informs the agency as to which filing it must submit before the April 15 deadline.

Section 500.17(b) of the regulation requires all "covered entities" (New York licensed and chartered companies in the banking, financial services, and insurance industries) to annually submit either a Certification of Material Compliance or an Acknowledgment of Non-Compliance regarding the prior calendar year. The entity must complete and submit the appropriate form on the New York State Department of Financial Services (DFS) website annually by April 15.

This requirement applies to the business entity only; it does not apply to licensed employees of an agency.

Our new resource provides a checklist of the requirements that apply to limited exempt agencies. The list is in the form of several questions for which the answers are either "yes" or "no." If the head of IT for your agency (and that person may well be the agency principal) can truthfully answer "yes" to all the questions, the agency should submit the Certification of Material Compliance.

On the other hand, if the truthful answer to one or more questions is "no," the agency should complete the Acknowledgement of Non-Compliance.

The checklist is an exclusive benefit for Big I New York members. You can find it on the Filing Instructions page in the Cybersecurity section of our website. Because the Cybersecurity section is a benefit that our members pay for, users must log in to the site with their email address and password to access it.

Other resources to help you complete the filing include:

Please be aware that neither the agency nor its licensed employees are required to resubmit the Notice of Exemption on the DFS cyber portal unless their circumstances have changed. If nothing has changed, it is unnecessary to complete and submit this form again.

0 Comment(s)

1 - 10