We want to remind all Big I New York members of the upcoming deadline for complying with new cybersecurity requirements. The New York State Department of Financial Services (DFS) last November 1 amended its Cybersecurity Requirements for Financial Services Companies regulation. That amendment included several changes. Some of the changes took effect immediately. The deadlines for others were this past spring, with the deadlines for the rest next month and next year.
Many of the regulation’s 24 sections do not apply to businesses that qualify for the “limited exemption.” A business qualifies for the limited exemption if any one of the following three things are true about that business:
- The business and its affiliates have fewer than 20 employees and independent contractors.
- The business and its affiliates generated less than $7.5 million in gross annual revenue in each of the last three fiscal years from all operations (count only the New York State operations of affiliates.)
- The business and its affiliates have less than $15 million in year-end total assets.
Most Big I New York members qualify for the limited exemption.
DFS sent an email to all New York licensed insurance professionals earlier this week reminding them of these deadlines. However, only two apply to all “covered entities” (the regulation’s term for anyone with a New York banking, financial services, or insurance charter or license.) The other three apply only to businesses that do not qualify for the limited exemption and so-called “Class A companies” (very large companies with revenues in the tens of millions and more than 2,000 employees.)
The two November 1 deadlines that apply to all covered entities are:
1. Use multi-factor authentication (MFA) for any individual accessing the entity’s information systems. However, agencies that qualify for the limited exemption must use it only for:
- Remote access to the agency’s computer systems.
- Remote access to third-party applications from which individuals can access non-public information.
- All “privileged accounts” (essentially system administrator accounts) other than service accounts that prohibit interactive login.
If your agency has not already implemented MFA and you need help, agency technology consulting firm Catalyit offers these resources:
Membership in Catalyit is free for Big I New York members, so we encourage all members to register.
2. Provide, at least annually, cybersecurity awareness training that includes social engineering for all personnel. The training should be updated as needed to reflect the risks the agency has identified during its annual cybersecurity risk assessment.
The Compliance Resources page in the Cybersecurity section of our website lists these potential providers of cybersecurity awareness training.
All covered entities, including agencies that qualify for the limited exemption, must comply with these requirements by November 1, 2024.
The deadlines that apply only to larger organizations involve cybersecurity reports to an entity’s senior governing body, changes to encryption requirements, and changes to incident response and business continuity management requirements. These requirements do not apply to agencies that qualify for the limited exemption.
For more information: