23 NYCRR 500 DFS Law – The 2023 Changes All Independent Insurance Agency Owners MUST Know To Be In Compliance
In November, the Department of Financial Services sent out an updated notification on their proposed amendments to their Cybersecurity Regulation: 23 NYCRR 500. These amendments will go into affect within the first quarter of 2023.
You can read our prior update on the amendments here.
You can read a brief summary of items you must comply with as a filing entity here.
As an Independent Insurance Agency, you are required to comply with DFS Law if you have 1 (one) NY based insured or connected firm/third-party company.
Among the new amendments, changes include the creation of “Class A Companies” for larger entities, with their own set of heightened regulations.
For regular covered entities, such as Independent Insurance Agencies, you must now ALSO have:
- Designate a CISO (Chief Information Security Officer)
- Perform bi-annual penetration testing
- Perform annual cybersecurity training for staff
- Maintain written policies and procedures
- Conduct regular, automated vulnerability scans
- Review and update risk assessments annually
- Report unauthorized access to privileged accounts within 72 hours
- Report deployment of ransomware within systems within 72 hours
- Report any cybersecurity event affecting a third-party service provider within 72 hours
- File formal reporting within 24 hours if ransom payment is made
- File formal reporting within 30 days if ransom payments are made and why payment was necessary to DFS
- Implement multi-factor authentication on all in-house and remote devices
- And more. Read our summary for full briefing.
Regulated entities must file Certification of Compliance for calendar year 2022 by April 15th 2023 and must also file Compliance with new amendments within 30 days once active.
Enhanced regulations include that if a covered entity fails to implement just 1 (ONE) part of the necessary compliance regulations, they are not counted as being within compliance and therefore failing to adhere to the law.
When your agency falls victim to a hacker or a breach, this means you will face increased penalties for not being properly within compliance standards.
Insurance Companies must take steps to ensure that their cyber programs are compliant with not only the current regulations but also with proposed changes in full.
Entities can only become LIMITED EXEMPT, which means any will still need to comply with most of the regulations regardless.
We at Motiva Networks can help prepare your company to be DFS Compliant. We are the only IT Firm that can assure compliance with both Insurance and State Department Cybersecurity Regulations. Our Compliance as a Service is a “Done For You” compliance assurance where we hit every bullet point the law requires, and we monitor your systems for cyberattacks 24/7/365.
Claim your FREE Cybersecurity Risk Assessment today or schedule a quick 10 minute phone call so we can answer any questions directly: 646-374-1820.
Walter Contreras
Walter Contreras has over 25 years of experience in information technology, including cybersecurity, with a focus on the Insurance Industry. As both a computer scientist and a graduate of the Columbia University Business School’s Executive MBA program, Walter understands how the world’s digital transformation is impacting small and medium businesses. His mission is to deploy information technology to protect and empower entrepreneurs.
