Based on new information out today from the Excess Line Association of New York (ELANY,) we encourage you to perform the periodically-required risk assessment of your computer networks now and get ready for new cybersecurity requirements from the New York State Department of Financial Services (DFS.)
reported earlier this month, DFS offered guidance to all entities it regulates on how to address the risks of ransomware attacks. Today's bulletin from ELANY indicates that they've had conversations with DFS that shed new light on the guidance.
According to computer security software provider
McAfee, "Ransomware is malware that employs encryption to hold a victim’s information at ransom. A user or organization’s critical data is encrypted so that they cannot access files, databases, or applications. A ransom is then demanded to provide access. Ransomware is often designed to spread across a network and target database and file servers, and can thus quickly paralyze an entire organization." Ransomware attacks have become more pervasive in recent years; a
massive attack affected hundreds of small businesses worldwide over the recent July 4 weekend.
ELANY's bulletin advised its member brokers of the DFS guidance and contained this new information (emphasis added):
The DFS has told ELANY that the notice is not intended to supersede the regulation. Instead, it is meant to accomplish two goals. First, it provides licensees with information on controls that the DFS believes are important and that the DFS expects licensees to consider implementing, depending on their risk assessments. It is important to note that the DFS views the risk assessment as controlling a licensee’s approach to cybersecurity and that licensees should be able to explain what controls they considered based on their risk assessment, and why they chose not to implement certain controls.
Second, the DFS is putting licensees on alert that the regulation will be revised, and the notice includes some of the specific requirements that will likely be included in the revision. The DFS shared with ELANY that limited exemptions will be maintained and they understand that small brokers have limited resources compared to larger licensees, however some new requirements will likely be imposed on exempt licensees. Most prominently, licensees with a limited exemption can expect the current exemption from multi-factor authentication requirements to be removed.
Therefore, while the notice did not change New York's Cybersecurity Requirements For Financial Services Companies regulation, DFS is urging all covered entities to assess their risks of ransomware attacks and implement controls based on what they find. The regulation already requires agencies and brokerages to perform risk assessments. Section 500.9 states, "Each covered entity shall conduct a periodic risk assessment of the covered entity’s information systems sufficient to inform the design of the cybersecurity program as required by this (regulation.)"
Also, the bulletin supplements what we already knew from the DFS letter - changes will come later this year to the regulation, and they will affect all of you. It currently requires larger agencies (those that do not qualify for the limited exemption) to implement multi-factor authentication (MFA.) ELANY's bulletin indicates that DFS intends to require all entities, regardless of size, to implement MFA. The regulation defines MFA as:
"... authentication through verification of at least two of the following types of authentication factors:
(1) knowledge factors, such as a password;
(2) possession factors, such as a token or text message on a mobile phone; or
(3) inherence factors, such as a biometric characteristic."
MFA is a commonly-used technology for accessing networks remotely. Big I New York implemented it for staff working outside the office several years ago.
Because of this new information from ELANY, we suggest you:
- Perform new risk assessments with an eye toward the threat of ransomware attacks
- Prepare to incorporate MFA technology into your cybersecurity programs.
Qualified cybersecurity consulting firms such as Motiva can assist you with implementing MFA. Motiva is also offering Big I New York members a free cybersecurity audit of their computer networks to evaluate network health.
Our cybersecurity regulation compliance resources are available to you at anytime at www.biginy.org/cyber.