Enhanced regulations include that if a covered entity fails to implement just 1 (ONE) part of the necessary compliance regulations, they are not counted as being within compliance and therefore failing to adhere to the law. This makes it exceptionally critical to maintain cybersecurity regulation requirements once implemented.
Staying Ahead: What Agencies Need to Know About NY DFS 23 NYCRR 500’s New Amendment Changes

NY DFS 23 NYCRR 500 is a critical cybersecurity regulation that requires all financial companies, such as independent insurance agencies, operating in or with clients in New York State to establish and maintain a comprehensive cybersecurity program to protect their sensitive data and systems from cyber threats.  

The regulation requires companies to adhere to strict data protection standards, including the establishment of a cyber risk program, regular testing and monitoring of information systems, and reporting of any incidents or breaches.  

Companies must also implement policies and procedures to protect their data, train their employees in cybersecurity best practices, and ensure that third-party vendors are also compliant with the regulation.

New Amendments and what they mean:  

  • Expanded Definition of "Events": Expanded definition of "events" to include unauthorized users gaining access to privileged accounts, and ransomware attacks within the company's systems. This means companies will now be required to constantly monitor their systems for such events.
  • Independent Audit: Must perform an independent, third-party audit of their cybersecurity risk program every year.
  • Regular Monitoring and Testing: Regularly monitor and test information systems, including bi-annual vulnerability assessments and penetration tests.
  • Defensive Measures: Relevant and up-to-date defensive measures to protect sensitive data and systems from cyber threats.
  • Written Cyber-Risk Policy: Maintain a written cyber-risk policy that is approved by a board of directors, or CISO annually.
  • CISO or Board Designation: Designate a Chief Information Security Officer (CISO) to oversee, implement, and report on policies annually. Alternatively, a board of directors or equivalent with adequate cybersecurity expertise can be responsible for approving cybersecurity policies annually instead.
  • Backup and Restoration Testing: Routinely test backup and restoration systems.
  • Data Access and Password Restrictions: Limit data access and employ password restrictions and encryption.
  • Cybersecurity Training: Provide annual cybersecurity training and testing for employees, including training on social engineering.
  • Multi-Factor Authentication: Implement multi-factor authentication.
  • Disaster Recovery Plans: Written disaster recovery plans to ensure business continuity.
  • Stricter Limitations of Privileged Accounts and Access: New, stricter limitations on privileged accounts and data access.
  • Incident Reporting: Documented incident reports to senior level management yearly.
  • Non-Public Information Protection: Secure and prevent unauthorized access to an individual’s or an entity’s non-public information.
  • 24-Hour Reporting: The proposed amendment includes new 24-hour reporting requirements for any data breach or cyber-risk.

Enhanced regulations include that if a covered entity fails to implement just 1 (ONE) part of the necessary compliance regulations, they are not counted as being within compliance and therefore failing to adhere to the law. This makes it exceptionally critical to maintain cybersecurity regulation requirements once implemented.

What do you need to comply with

  • 500.02 Cybersecurity Program - Develop and maintain a robust cybersecurity program
  • 500.03 Cybersecurity Policy - Implement a comprehensive cybersecurity policy
  • 500.04 Chief Information Security Officer - Designate a (CISO)
  • 500.05 Penetration Testing* and Vulnerability Assessments - Monitor and test the effectiveness of its cybersecurity program
  • 500.06 Audit Trail - Maintain an audit trail
  • 500.07 Access Privileges – Regulate employee access
  • 500.08 Application Security - Limit access to information systems that contain nonpublic information
  • 500.09 Risk Assessment - Institute procedures to assess and test the security of externally developed applications
  • 500.10 Cybersecurity Personnel and Intelligence - Use qualified personnel to manage cybersecurity risks and oversee cybersecurity functions
  • 500.11 Third Party Service Provider Security Policy - Implement policies and procedures to ensure the security of information held by third-party service providers
  • 500.12 Multi‐Factor Authentication - Implement data retention and deletion policies and procedures
  • 500.13 Limitations on Data Retention – See above
  • 500.14 Training and Monitoring - Monitor the activity of authorized users, detect unauthorized access, and offer regular cybersecurity awareness training to employees
  • 500.15 Encryption of Nonpublic Information– See above
  • 500.16 Incident Response Plan - Develop plans to respond to and recover from cybersecurity incidents
  • 500.17 Notices to Superintendent - Be able to file reporting within 24-72 hours of data breach or hack
  • 500.18 - 500.23 - Confidentiality, Enforcements, Dates, Periods, Severability

Limited Exemptions:

  • Companies with less than 10 employees
  • Companies with less than $5 Million in gross revenue
  • Companies with less than $10 Million in year-end total assets

NOTE: There is no “full exemption” of the law, only limited exempt and no exempt at all. 

“The exemptions are limited in scope and do not exempt you from every requirement of the Cybersecurity Regulation.” – DFS Website. 

Limited Except Entities still must comply with:

  • 500.02 Cybersecurity Program - Develop and maintain a robust cybersecurity program
  • 500.03 Cybersecurity Policy - Implement a comprehensive cybersecurity policy
  • 500.07 Access Privileges – Regulate employee access
  • 500.09 Risk Assessment - Institute procedures to assess and test the security of externally developed applications
  • 500.11 Third Party Service Provider Security Policy - Implement policies and procedures to ensure the security of information held by third-party service providers
  • 500.13 Limitations on Data Retention – See above
  • 500.17 Notices to Superintendent - Be able to file reporting within 24-72 hours of data breach or hack
  • 500.18 - 500.23 - Confidentiality, Enforcements, Dates, Periods, Severability

All entities must file Certification of Compliance by April 15th, 2023. 

 

In addition to NY DFS Regulations, agencies also should be aware of the new FTC Safeguards Rule and NAIC Model Laws that are also going into effect.

The Federal Trade Commission’s (FTC) Safeguards Rule, the New York State Department of Financial Services’ (DFS) 23 NYCRR 500 regulation, and the National Association of Insurance Commissioners’ (NAIC) model laws, all have similarities in their approach to cybersecurity for insurance agencies. These regulations require businesses to implement comprehensive cybersecurity programs to protect sensitive customer information from cyber threats. 

It’s important to note that the Safeguards Rule aligns similarly to existing regulations for financial companies, such as New York’s Department of Financial Services 23 NYCRR 500 law and NAIC’s Model Laws currently implemented in 22 states, except that it’s at the federal level.  

Read about the differences and compliance requirements for all here: The New FTC Safeguards Rule, NAIC Model Laws, NY DFS, and You | Motiva Networks Blog.

 

Ignorance is no excuse when it comes to cybersecurity and complying with NY DFS 23 NYCRR 500.  

We at Motiva Networks can help prepare your company to be DFS Compliant. We are the only IT Firm that can assure compliance with both Insurance and State Department Cybersecurity Regulations.  

Our Compliance as a Service is a “Done for You” compliance assurance where we hit every bullet point the law requires, and we monitor your systems for cyberattacks 24/7/365. 

With over 25 years of experience, we at Motiva Networks can help you plan and see if your data has been compromised with a Free Confidential Cybersecurity Risk Assessment. Or you can schedule a quick 10-minute call to discuss the best options for your Agency or small business, or go over any questions you might have HERE.

Walter-Contreras

Walter Contreras

Walter Contreras has over 25 years of experience in information technology, including cybersecurity, with a focus on the Insurance Industry. As both a computer scientist and a graduate of the Columbia University Business School’s Executive MBA program, Walter understands how the world’s digital transformation is impacting small and medium businesses. His mission is to deploy information technology to protect and empower entrepreneurs.

Related blogs