All New York regulated financial services companies, including insurance agencies, must implement additional cybersecurity procedures by May 1. These requirements are part of the 2023 amendments the New York State Department of Financial Services (DFS) made to the state’s financial services cybersecurity requirements.
While most Big I New York member agencies have fewer than eight employees and do not have a staff person known as a “system administrator," some may have one who performs some administration functions. A system administrator has special systems access, allowing them to make security-related changes to the systems. These might include turning access on or off for individuals, configuring firewalls to permit data to enter the system, and related functions.
The cybersecurity regulation refers to accounts that grant a person this kind of access as “privileged accounts." If your agency uses privileged accounts for a staff person to make security changes, it must:
- Limit the number of them.
- Limit the functions someone with a privileged account can perform to only those necessary for performing their job.
- Limit when an individual can use a privileged account to only those times when they are performing functions that require this access.
Other requirements that agencies must implement by May 1 include:
- Reviewing all user access privileges at least annually.
- Removing or disabling all accounts and access that the review shows are no longer necessary.
- Disabling or securely configuring all network software that allows someone (such as a system administrator) to remotely control a device (such as an employee’s workstation.)
- Promptly terminating users’ access privileges upon their departure from the agency.
- Implementing written password policies that meet current industry standards. This might be a requirement that passwords be twelve or more characters long, contain upper and lower-case letters, at least one number, and at least one special character (such as a question mark.)
Those of you who click the link above to the regulation’s text will see a reference to “class A companies." A class A company has at least $20 million in annual revenue and either more than 2,000 employees or more than $1 billion in gross annual revenue. No Big I New York members fit this definition.
Many of you may be informally doing some or all these procedures already. They should become part of your agency’s cybersecurity policy, the written document of agency policies and procedures designed to protect your systems and non-public data. Last spring, DFS published a new cybersecurity policy template for the businesses it regulates to use. The template is comprehensive, and we encourage all members to use it as a starting point. You will find the section pertaining to the requirements described above under Section V. Access Privileges and Management starting at the bottom of page 4.
This is the next-to-last deadline for complying with the regulation’s amendments. Agencies have until November 1 to create and manage inventories of the components of their information systems (workstations, laptops, phones, etc.) We will provide guidance on how to create the inventory this fall.
For more information:
NY Cybersecurity Regulation: What Your Agency Needs To Do (Jan. 10, 2025)
Another Resource To Help with Cyber Reg Compliance (Feb. 11, 2025)