The New York State Department of Financial Services published a revised proposed second amendment to 23 NYCRR 500—colloquially referred to as New York’s cyber security regulation. The publication of the revised second amendment comes over six months after the department published the original second amendment to the regulation back in November of 2022. Following the November publication, the DFS received comments from banking, insurance, and other industry groups on the amendment. The revised regulation published late last month makes some subtle, but important, changes to the original proposal based on the public comments received.
While the department made several changes to the revised regulation, the impact of the changes should be minimal—especially for those that qualify for the limited exception. For a complete breakdown of the changes, PIA members can access a section-by-section analysis.
The notable changes: MFA and training
The biggest change in the revised regulation deals with multifactor authentication and cyber training.
Under the original second amendment all covered entities, including those who qualify for the limited exemption, were required to incorporate MFA into their security procedures. The revised amendments alter that requirement to make those who qualify for the limited exemption utilize MFA only:
- for remote access to their information system;
- for remote access to third-party applications; and
- for all privileged accounts other than those that prohibit interactive login.
In addition, the time in which entities must comply with the MFA section has been extended. Previously, covered entities had 18 months to comply. That has been increased to two years in the revised regulation.
The other change that will impact those agencies with a limited exception is a requirement to conduct cyber training. Limited exempt entities now will be required to provide cyber security awareness training that includes social engineering for all personnel at least annually. The training must be updated to reflect risks identified by the covered entity in its risk assessment.
Next steps
Due to the changes in the regulation, a new public comment is required. That began on the date of publication, June 28, 2023, and will last 45-days, until Monday, Aug. 14, 2023.
After that date, the DFS will review comments before publishing what will presumably be the final version of the second amendment.
Stay tuned to PIA publications for more information on the New York’s cyber security regulation.
Bradford J. Lachut, Esq.
Bradford J. Lachut, Esq., joined PIA as government affairs counsel for the Government & Industry Affairs Department in 2012 and then, after a four-month leave, he returned to the association in 2018 as director of government & industry affairs responsible for all legal, government relations and insurance industry liaison programs for the five state associations. Prior to PIA, Brad worked as an attorney for Steven J. Baum PC, in Amherst, and as an associate attorney for the law office of James Morris in Buffalo. He also spent time serving as senior manager of government affairs as the Buffalo Niagara Partnership, a chamber of commerce serving the Buffalo, N.Y., region, his hometown. He received his juris doctorate from Buffalo Law School and his Bachelor of Science degree in Government and Politics from Utica College, Utica, N.Y. Brad is an active Mason and Shriner.
