January 2025 has brought with it fresh batches of lake effect snow and a new cybersecurity regulation compliance filing season. Sometime between now and April 15, each agency must log into the NYS Department of Financial Services (DFS) cyber portal and complete and submit one of two forms:
- Certification of Material Compliance (if the agency was in material compliance with all sections of the regulation that applied to it in 2024.)
- Acknowledgement of Non-Compliance (if the agency was not in material compliance with all sections that applied to it in 2024.)
Please be aware that neither the agency nor its licensed employees are required to resubmit the Notice of Exemption on the DFS cyber portal unless their circumstances have changed. If nothing has changed, it is unnecessary to complete and submit this form again.
In November 2023, DFS adopted amendments to the regulation that implemented a number of changes that are being phased in between Nov. 1, 2023 and Nov. 1, 2025. The bulk of these changes impacted larger entities that do not qualify for the limited exemption. More than 90% of Big I New York members were not impacted by those changes. However, there are some requirements that even small agencies had to meet starting in 2024, with others to follow this year. The following items apply to all agencies:
2024 Changes
- Risk assessments must now be done annually.
- The agency’s senior officer or its governing body (if it has one) must review and approve the written cybersecurity policies and procedures annually.
- Cybersecurity awareness training, including training on social engineering attacks, must be provided to employees annually.
- Multi-factor authentication (MFA) must be implemented for situations where agency staff access the agency’s computer system remotely (from home, cars, restaurants, etc.)
2025 Changes
- Implement restrictions on system administrator accounts (effective May 1.)
- Implement written policies and procedures for producing and maintaining an asset inventory of the agency’s systems (workstations, mobile devices, phones, printers, etc.) (effective Nov. 1.)
Here are answers to some questions you might have:
Do I have to file for both the agency and all my licensed employees?
No. Your licensed employees should have long ago submitted Notices of Exemption to the department indicating that they are covered by your cybersecurity program. That makes them exempt from having to complete and submit these forms.
Is this something new?
No. The first Certification of Compliance was due by February 15, 2018. In 2020, the department pushed the filing deadline back to April 15 (it was actually later that year because of the pandemic, but it is now permanently April 15.) The Acknowledgment of Non-Compliance requirement took effect at the end of 2023. DFS expected entities who may have been out of compliance to complete and submit that form last year.
How do I know what sections of the regulation apply to me?
If your agency is large enough to not qualify for an exemption, you must comply with all of it. More than 90% of Big I New York members qualify for the limited exemption, and they must comply with only some sections. You can find a list of those sections in our post of Dec. 4, 2023.
What do I have to do to comply?
We have a comprehensive Cybersecurity section on our website with plenty of content to help an agency comply. The most important parts of that section are the Filing Instructions and Compliance Resources pages. Other pages provide links to the relevant laws in other states, vendors who can assist you, and checklists.
Can you help me complete the filing?
We encourage you to watch the recording of a webinar Tim Dodge presented last April in which he went step-by-step through the process. Dozens of members attended that webinar and completed their filings in real time. The procedure has not changed since then, so it should be a useful aid for you.
Members who wish to have Big I New York staff members provide one-on-one assistance with the filing may obtain that assistance, but there is an additional monetary charge.
Why is the State of New York doing this to me?
Section 500.0 of the regulation states in part, “Cybercriminals can cause significant financial losses for DFS regulated entities as well as for New York consumers whose private information may be revealed and/or stolen for illicit purposes. The financial services industry is a significant target of cybersecurity threats. … Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances. Accordingly, this regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities."
Why are insurance agencies being singled out?
They’re not. The requirements of this regulation apply to every New York licensed or chartered person or entity in the financial services industry. That includes agencies, carriers, banks, credit unions, investment companies, and so on. It also applies to non-residents who hold New York licenses or charters.
Do other states require this?
New York was the first state to adopt a cybersecurity regulation for financial services, but at least 22 other states (Connecticut among them) have enacted insurance data security laws based on a model law published by the National Association of Insurance Commissioners (NAIC.) To our knowledge, however, New York is the only state that requires insurance producers to submit annual compliance filings.
Where can I find more information?
Three excellent resources are:
Big I NY Cybersecurity Resources
Big I NY Newsfeed – Cyber section
NYS DFS Cybersecurity Resources
For answers you can’t find there, contact Tim Dodge at 800-962-7950 extension 229 or at tdodge@biginy.org.