On July 29th, the NYSDFS released a pre-proposed draft of forthcoming amendments to 23 NYCRR 500, New York's sweeping cyber regulation.
The DFS proposes a wide range of changes to the regulation, including but not limited to:
- Require covered entities to strictly limit the number of “privileged accounts", aka those able to perform security-relevant functions
- More specific requirements for entity risk assessments, required annually and when there is a material change to risk, as opposed to “periodically."
- Possibly requiring employees of covered entities to develop their own third-party service provider policies. We have requested clarification on this as it would have troubling implications for individual agents.
- Expand the definition of third-party service providers to include governmental entities.
- Certification of compliance will have to be backed up by internal documentation of compliance.
- If an entity was not in compliance at the end of the prior year, they will have to say so, identify the provisions with which they are not in compliance, and identify the areas that require improvement.
- The criteria for an entity to qualify for the limited exemption has been broadened:
|Fewer than 10 employees||Fewer than 20 employees|
|Less than $5 million in New York revenue||Less than $5 million in New York revenue|
|Less than $10 million in total assets||Less than $15 million in total assets|
- Individual insurance agents (those with licenses carrying the LA or PC prefixes) whose licenses are in inactive status (because no carriers have appointed them) will be completely exempt from the regulation's requirements unless they otherwise qualify as covered entities. For example, a person with an inactive PC license and who also has a valid property-casualty broker (BR) license would not be exempt.
- The enforcement section has been significantly expanded. A single act or single failure to act to satisfy an obligation required by the regulation will be deemed a violation of it. These include but are not limited to failure to protect systems or information due to noncompliance. They also include “the failure to comply for any 24-hour period with any section or subsection of this Part."
This is the first step in the process of amending the cyber regulation; the department will accept comments on this draft until August 8th, then release a proposed amendment for formal comments. After the comment period, a final draft of the amendments will be adopted.
The proposed amendments state that they will be effective immediately upon publication of the notice of adoption. However, compliance will be required later – for most of the changes, compliance will be required within 180 days of the effective date. Compliance with the new cybersecurity event reporting requirements will be required within 30 days, while compliance with the changes to the access privileges, multi-factor authentication (MFA) and training and monitoring requirements will be required one year from the effective date.
Big I NY Has Your Back:
Big I NY is carefully reviewing the proposed changes and will submit comments to the DFS. We will keep members apprised of important developments. Please contact Scott Hobson at SHobson@BigINY.org with comments or questions.