The New York State Department of Financial Services (DFS) today proposed revised changes to its cybersecurity regulation. Today's publication in New York State Register, the state's weekly compilation of regulatory changes, modifies amendments DFS proposed last fall. The revisions proposed today respond to comments Big I New York and others submitted earlier this year on the first proposal.
Most Big I New York members are agencies with eight or fewer employees. Much of the impact of the proposed amendments is on larger organizations such as carriers and banks. However, our preliminary review of today's proposal found some changes that affect all agencies and brokerages.
Last fall's proposal would require all covered entities to implement multi-factor authentication (MFA.) MFA is a technology that helps prevent unauthorized access to computer networks. Many cyber insurance companies require their insureds to implement it. The revised proposal limits the impact on agencies eligible for the limited exemption. These smaller companies will have to use MFA for:
- Remote access to the company's network (such as when staff log in offsite.)
- Remote access to third party software applications from which individuals can access non-public information.
- All system administrator accounts.
The first proposal expanded the annual Certification of Compliance requirement. It would have forced all entities to disclose areas of the regulation where they were not in compliance. Big I New York objected, saying, “Requiring covered entities to document noncompliance and identify specific areas of vulnerability will put NYSDFS in possession of a list of prime targets for cyberattack or extortion, which bad actors will seek to access and exploit." DFS agreed and has dropped the requirement. Instead, entities will have to produce reports upon request.
Last fall's proposal deleted wording from the Third-Party Service Provider (TPSP) section that an “agent, employee, representative or designee" of a covered entity who follows its TPSP security policy need not create its own. Some observers worried that removing it imposed new duties on individuals. DFS confirmed that they removed it because the section on Exemptions has similar wording.
We requested longer transition periods for some new requirements. DFS rejected most of these suggestions but did lengthen the transition period for implementing MFA. That period will be two years from the amendments' effective date, whenever that may be.
DFS rejected other Big I New York's suggestions, including:
- Making entities eligible for the limited exemption if they have less than $10 million in New York gross revenue instead of the current $5 million.
- When determining whether an entity has less than 20 employees (and thus qualifies for the limited exemption,) including only independent contractors who are in the insurance business.
- Clarifying the MFA section to state that entities that do not have a chief information security officer (CISO) may use more secure alternatives to MFA.
- Removing “image and reputation" and “other organizations" from the list of risks entities must identify when they perform their risk assessments.
- Requiring entities to perform risk assessments annually only if their cyber risks have materially changed.
- Under the TPSP security policy section, exempting agencies from having to perform due diligence on carriers and other covered entities, and vice versa.
- Limiting punishable acts only to intentional failures to comply and lengthening the minimum violation period to 72 hours.
DFS has not adopted the proposed amendments yet. Members of the public may submit comments until August 14 by emailing Joanne Berman of DFS. We encourage all of you to review the proposal and the assessment of public comments (see the links below) and submit appropriate comments on the new proposal.
Big I New York will continue to keep you informed on developments regarding this important regulation.
For more information, see: