N.Y.: New cyber regulations on the horizon; certification of compliance due April 15

January 17, 2023

The New York State Department of Financial Services released the official proposed second amendment to the cyber security regulation (23 NYCRR 500) for public comment late last year. This follows an unofficial draft of the amendments that circulated this past August. The amendment would make multi-factor authentication mandatory for all covered entities, increase the thresholds for entities to qualify for the limited exemption, and create a category for larger corporations, Class A entities. PIA submitted comments on both the unofficial proposal and the official proposal.

The proposed amendment, which is likely to go into effect Spring 2023, would require at least an annual review of cyber security policies and the entity’s risk assessment, a more defined period than the current regulation’s “periodically” review requirement. PIA offers members a section-by-section breakdown with all the changes to the regulation and will continue to update members as the regulation goes through the rulemaking process and into effect.

Annual certification of compliance

Those that hold a New York state insurance license (covered entities), including nonresident licensees, have until Saturday, April 15, 2023, to certify their compliance with the requirements of New York’s cyber security regulation (23 NYCRR 500) for calendar-year 2022.

The filing is required for all those not covered by another covered entity’s information system. This certification, which is required annually, must be filed via the DFS web portal between Jan. 1, 2023, and April 15, 2023. PIA members are encouraged to complete their annual certification of compliance earlier rather than waiting for the April 15 deadline.

Still have questions? Check out PIA’s Certification of compliance: a guide for more details. For more information on the cyber security regulation, access the cyber security section of PIA’s Privacy Compliance Central tool kit, which contains numerous resources for association members.

Bradford J. Lachut, Esq.
PIA Northeast | + posts

Bradford J. Lachut, Esq., joined PIA as government affairs counsel for the Government & Industry Affairs Department in 2012 and then, after a four-month leave, he returned to the association in 2018 as director of government & industry affairs responsible for all legal, government relations and insurance industry liaison programs for the five state associations. Prior to PIA, Brad worked as an attorney for Steven J. Baum PC, in Amherst, and as an associate attorney for the law office of James Morris in Buffalo. He also spent time serving as senior manager of government affairs as the Buffalo Niagara Partnership, a chamber of commerce serving the Buffalo, N.Y., region, his hometown. He received his juris doctorate from Buffalo Law School and his Bachelor of Science degree in Government and Politics from Utica College, Utica, N.Y. Brad is an active Mason and Shriner.

Related stories…

Share This