You may have received an email message from DFS announcing the proposed changes. That message informed recipients that they may provide comments to the department between now and Jan. 9, 2023.
Many of the amendments are targeted toward larger “covered entities” (the regulation’s term for any person or organization licensed under the state’s banking, financial services or insurance laws,) such as insurance carriers and banks. However, some changes will apply to smaller agencies and brokerages as well:
- More agencies and brokerages will qualify for exemption from parts of the regulation. Entities will have a limited exemption if they have fewer than 20 employees including independent contractors (up from 10,) less than $5 million in New York revenue (unchanged,) or less than $15 million in gross assets (up from $10 million.) The entity qualifies if any one or more of these is true.
- Inactive individual agents and brokers will be exempt from the regulation.
- All agencies and brokerages of any size will be required to implement multi-factor authentication (MFA) for system administrators and users who access the computer network or third party applications remotely.
- The agency’s board of directors, if it has one, or its senior officer in charge of cybersecurity (probably the agency principal) will be required to approve its cybersecurity policies and procedures annually.
- Those policies and procedures will have to address remote access if the agency has remote or hybrid employees. They will also have to include a policy for network passwords that meet industry standards.
- New restrictions will apply to the granting of system administrator access privileges.
- The mandatory risk assessments will have to be done annually, rather than “periodically.
- All agencies and brokerages of any size will be required to maintain a written inventory of technology assets such as laptops, mobile phones and tablets.
- All agencies and brokerages of any size will be required to report any hacks of a system administrator’s account, ransomware attacks, and if they make any extortion payments.
- When submitting the annual certification of compliance, entities will be required to report any areas of the regulation with which they are not in compliance. They will have to report their plans for achieving compliance.
- Failure to comply with the regulation for any 24-hour period will be considered a violation, subjecting the agency to potential disciplinary action. DFS will determine the amount and extent of penalties based on 15 factors listed in the proposal.
If adopted, the amendments will take effect on the date of adoption, which will likely be sometime in the first quarter of 2023. You will have 30 days from that date to prepare to comply with the additional cybersecurity event reporting requirements; one year to comply with the MFA requirement; 18 months to comply with a new requirement that MFA apply to administrator accounts and all remote access; and two years to implement the asset inventory requirement. The compliance deadline for all other changes will be 180 days after the effective date.
For example, if DFS publishes a formal notice of adoption on March 1, 2023, you will have until approximately September 1 to implement most changes. You would have to implement the notice requirements by March 31; MFA by March 1, 2024; and the asset inventory requirement by March 1, 2025.
As required by law, DFS will accept comments from interested members of the public until 5:00 pm, Monday, January 9, 2023. If you wish to submit comments, direct them to:
Joanne Berman
New York State Department of Financial Services
One State Street
New York, NY 10004
Big I New York intends to submit comments. We will post future updates on this website.