LIMITED EXEMPT COMPANIES
In November 2023, New York updated its cybersecurity law, NY DFS 23 NYCRR 500, affecting all financial firms in the state, and those financial companies nationwide with customers from New York.
With the April 15th compliance deadline near, it’s important to understand and apply these new changes.
What do you need to comply with?
The amendments have expanded the number of companies that now qualify for Limited Exempt status. However, the amount of cybersecurity requirements has now increased.
Qualification for Limited Exempt 2024
- fewer than 20 employees and independent contractors of the covered entity and its affiliates.
- less than $7,500,000 in gross annual revenue in each of the last [3] three fiscal years from all business operations of the covered entity and the business operations in this State of the covered entity’s affiliates; or
- less than $15,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all affiliates.
BEFORE:
500.02 Cybersecurity Program
- Develop and maintain a robust cybersecurity program
500.03 Cybersecurity Policy
- Implement a comprehensive cybersecurity policy
500.07 Access Privileges
- Regulate employee access
500.09 Risk Assessment
- Institute procedures to assess and test the security of externally developed applications.
500.11 Third Party Service Provider Security Policy
- Implement policies and procedures to ensure the security of information held by third-party service providers
500.13 Limitations on Data Retention
- Procedure for how and when PII (Personally Identifiable Information) data is disposed of
500.17 Notices to Superintendent
- Be able to file reporting within 72 hours of data breach or hack
500.18 – 500.23
- Confidentiality, Enforcements, Dates, Periods, Severability.
NEW REQUIREMENTS AS OF NOV 2023:
500.02 Cybersecurity Program
- Develop and maintain a robust cybersecurity program
- Document own cyber program and cyber programs by affiliates
500.03 Cybersecurity Policy
- Implement a comprehensive cybersecurity policy based on risk assessments
- Maintained and implemented by employee or third-party with adequate experience
- Incident response, notification, vulnerability management
- Asset Inventory and Device Management, including end of life management
- Network Monitoring
- Security Awareness and training
500.07 Access Privileges
- Regulate employee access
- Multifactor Authentication implementation
- Remote devices securely configured or disabled
- Proper termination of accounts and access following departures
500.09 Risk Assessment
- Institute procedures to assess and test the security of internal and external applications
- Must be updated annually, AND any time a change in business or technology impacts cyber risk
- Impact assessment must be conducted
- Tailored to specific company circumstances for testing
500.11 Third Party Service Provider Security Policy
- Implement policies and procedures to ensure the security of information held by third-party providers
- Risk assess third party providers, repeated periodically
- Policy for third party provider to utilize Multi-Factor Authentication and Encryption
- Periodically verify third party providers cybersecurity and policy requirements
500.12 MFA (Multi Factor Authentication) Multifactor Authentication
- MFA (Token or App based) implemented for local and remote access to systems
500.13 Access Management and Data Retention
- Written policies and procedures for complete and accurate documentation of all assets Owner, Location, Classification, Support Expiration Date, Recovery Time Objectives, Update Frequency
- Policies and procedures for secure asset disposal
500.14 Monitoring and Training
- Periodic, at least annual, cybersecurity awareness training that includes social engineering
500.17 Notices to Superintendent
- Be able to file reporting within 72 hours of data breach or hack under expanded “events”, including third party providers or affiliates 24 hour reporting of extortion payments
- 30 day reporting explaining why payment was necessary and what alternatives were considered
500.17 Continued – Proof of Compliance
- Written statement certifying DFS compliance with ALL requirements, demonstrated by data and document proof
- Written statement failing DFS compliance, where and why compliance was not achieved, timeline for remediation
- Produce documentation of compliance upon request to the Superintendent
500.20 Enforcement
- Any failure of any requirement for 24 hour period, and failure to secure or prevent unauthorized access is NON-Compliance
500.20(c) Penalty for Violations
- Determined by the Superintendent based on 16 new factors
500.18 – 500.24
- General Confidentiality, Enforcements, Dates, Periods, Severability
Let us handle all of the paperwork and implementation that will bring your company into Full DFS Compliance, alongside technical optimization so you run more smoothly than ever before.
Hand off the stress and frustration of DFS Compliance to an expert Cybersecurity and Compliance Team that works specifically with companies like yours and understands your unique day to day business operations and technical needs.
Start with a FREE No-Nonsense Technology and DFS Compliance Assessment to gain the knowledge of where you stand and what you need. You also need one for certifying proof of DFS Compliance so it’s two birds with one stone – knowledge and power.
Claim your FREE No-Nonsense Technology and DFS Compliance Asssessment by CLICKING HERE.
5 Biggest Changes
to DFS Law
to DFS Law
NEW ENFORCEMENT RULE
500.20 Enforcement: Any failure of any requirement for 24 hour period, and failure to
secure or prevent unauthorized access is NON-Compliance
There is no “full exemption” of the law, only limited exempt and not exempt at all.
Compliance Filing Deadline
All entities must file Certification of Compliance and Proof by April 15th, 2024.
- 00Days
- 00Hours
- 00Minutes
- 00Seconds
Entities must now also report to DFS where they are NOT in compliance, why they were not in compliance, a proof of plan for coming into compliance for those failings, and a date of which those compliance items will be implemented.
Our Free Compliance Assessment Will Give You The
Answers You Want, The Certainty You Need.
This Assessment will provide verification from a Qualified Third Party on your NY DFS Compliance posture, whether or not your current IT company is doing everything they should be, and if your business is at serious risk for hacker attacks, data loss and extended downtime, as well as how to solve these issues.
- Whether or not you're currently in Compliance with NY DFS Cybersecurity Law.
- Where you are overpaying (or getting underserved) for the services and support you are currently getting from your current IT company or team.
- If you and your employees’ login credentials are being sold on the Dark Web.
- IF your IT systems and data are truly secured from hackers, cybercriminals, viruses, worms and even sabotage by rogue employees.
- IF your current backup would allow you to be back up and running again fast if ransomware locked all your files.
- Do your employees truly know how to spot a phishing e-mail? We will actually put them to the test. We’ve never seen a company pass 100%. Never.
- IF your IT systems, backup and data handling meet strict compliance requirements for data protection.
- If your company (and your reputation) are at RISK and how your employees can work from home without compromising the security of your customers data.
- How you could lower the overall costs of IT while improving communication, security and performance, as well as the productivity of your employees.
Walter Contreras, registered NY DFS instructor, Cybersecurity expert, and CEO of Motiva Networks understands how the world’s digital transformation is impacting small to medium sized businesses. With over 25 years of experience in information technology and cybersecurity, his vision is clear – safeguarding and strengthening the digital backbone of business owners.
