Nov. 1 Deadline for NYSDFS Cybersecurity Compliance

If you conduct business in New York State, you should be aware of the following cyber security requirements set by the New York State Department of Financial Services (NYSDFS) Cybersecurity Regulation (23 NYCRR 500). This regulation imposes new cybersecurity requirements on banks, insurance companies, and other financial services firms operating within New York State.

The provisions of the NYSDFS’s Cybersecurity Regulation take effect in phases over the next year. If you are a licensed insurance, banking or financial services entity, please take note of these essential corporate compliance actions detailed below that took effect on November 1, 2024.

Compliance Actions Required by Nov. 1

Non-exempt covered entities have the following requirements:

1. Cybersecurity Governance: Chief information security officers (CISO) must provide reports to senior governing bodies annually, as well as reporting timely on material cybersecurity issues. The senior governing body is required to exercise oversight of the entity’s cybersecurity program.
2. Encryption of Nonpublic Information (NPI): Implement a written policy requiring encryption that meets industry standards, including restrictions regarding the use of alternative compensating controls.
3. Incident Response and Business Continuity Management: Update Incident Response plans to address additional criteria, including internal processes for responding to a cybersecurity event, recovery from backups, and preparation of root cause analysis. Adopt a Business Continuity and Disaster Recovery plan. Train all employees involved in the plans’ implementation, test plans with critical staff, and revise plans as necessary. Maintain and adequately protect backups necessary to restore material operations.

Small businesses with partial exemptions have the following new requirements:

1. Multi-Factor Authentication (MFA): Covered entities that have not already done so are required to implement MFA for any remote access to their information systems, remote access to third-party applications where NPI is accessible (including cloud applications), and to privileged accounts.
2. Conduct Annual Cyber Security Training: All personnel are required to complete cyber security awareness training at least once per year. This training should now include social engineering awareness, helping your team identify phishing attempts and other common cyber threats.

Please note that provisions apply to entities qualifying under 500.19(c) (those that do not maintain information systems and nonpublic information) and 500.19(d) (captive insurers that do not control nonpublic information). These groups are not required to implement these specific actions.

Why These Cyber Security Compliance Measures Are Important

MFA and comprehensive cyber security training are essential tools in today’s risk management landscape. MFA provides an additional barrier against unauthorized access, while annual training ensures your employees are equipped to recognize and respond to emerging cyber threats. With educated personnel, you can significantly reduce the likelihood of a cyberattack and strengthen your organization’s security posture.

Compliance Assistance

With the average cost of a data breach to a US company in 2024 coming in at a staggering $9.36 M, the actions noted above are safeguards you should put in place to protect your business. And if you are licensed in the state of New York, these measures aren’t just a good idea. They’re regulatory requirements that may well apply in order to keep your agency in good standing.

If you have any questions or need guidance on meeting these requirements, please contact 3HCG.