The New York State Department of Financial Services released the official proposed second amendment to the cyber security regulation (23 NYCRR 500) for public comment late last year. This follows an unofficial draft of the amendments that circulated this past August. The amendment would make multi-factor authentication mandatory for all covered entities, increase the thresholds for entities to qualify for the limited exemption, and create a category for larger corporations, Class A entities. PIA submitted comments on both the unofficial proposal and the official proposal.
The proposed amendment, which is likely to go into effect Spring 2023, would require at least an annual review of cyber security policies and the entity’s risk assessment, a more defined period than the current regulation’s “periodically” review requirement. PIA offers members a section-by-section breakdown with all the changes to the regulation and will continue to update members as the regulation goes through the rulemaking process and into effect.
Annual certification of compliance
Those that hold a New York state insurance license (covered entities), including nonresident licensees, have until Saturday, April 15, 2023, to certify their compliance with the requirements of New York’s cyber security regulation (23 NYCRR 500) for calendar-year 2022.
The filing is required for all those not covered by another covered entity’s information system. This certification, which is required annually, must be filed via the DFS web portal between Jan. 1, 2023, and April 15, 2023. PIA members are encouraged to complete their annual certification of compliance earlier rather than waiting for the April 15 deadline.
Still have questions? Check out PIA’s Certification of compliance: a guide for more details. For more information on the cyber security regulation, access the cyber security section of PIA’s Privacy Compliance Central tool kit, which contains numerous resources for association members.