Navigating the new landscape: Key changes to 23 NYCRR 500

January 10, 2024

The New York Department of Financial Services cyber security regulation—known as 23 NYCRR 500 by nerds like me—first went into effect on March 1, 2017. This regulation was the first in the nation to regulate the cyber security practices of the financial services industry. It was a significant step in the state’s efforts to ensure the security and integrity of the information systems of financial services companies. The regulation requires entities licensed by the DFS, including insurance agencies, to assess their cyber security risk and implement a comprehensive cyber security program.

Fast forward six years and the DFS unveiled amendments to the cyber security regulation in the fall of 2023. These changes, aiming to enhance cyber resilience and protect nonpublic information, bring new compliance requirements for agencies operating under the DFS’ jurisdiction. PIANY is here to help insurance producers navigate their compliance journey. The association will release a series of articles diving into some of the biggest changes to the regulation and how insurance producers should handle them.

This first article in the series will capture a high-level view of what is new with the amended regulation. Let’s break down some of these pivotal changes.

Class A companies: A new category

A major change is the introduction of Class A companies. To fall under this category, an entity must meet two conditions:

  • having at least $20 million in gross annual revenue from New York operations, and
  • either employing over 2,000 employees globally or generating over $1 billion in gross annual revenue.

These companies face more rigorous requirements, reflecting the higher risks associated with their scale.

Redefining cyber security events and incidents

The amendments bring clarity by defining “cyber security event” and introducing “cyber security incident,” a term for events that impact the entity significantly, disrupt normal operations or involve ransomware deployment within key information systems.

Enhanced definitions and responsibilities

Other definitions have been refined or added, such as “multi-factor authentication” and “privileged account,” which are critical for access control and cybersecurity governance. The role of the Chief Information Security Officer has been expanded, requiring more authority and timely reporting on cybersecurity issues.

Risk assessment and cyber security program upgrades

Risk assessment now needs more comprehensive consideration, including the size, staffing, governance and operations of the entity. Risk assessments also must be completed annually. Class A companies must engage external experts for risk assessments every three years. Furthermore, cyber security programs must be independently audited and approved annually by the entity’s senior governing body.

New requirements for asset management and data retention

Entities must maintain an updated and documented asset inventory, including the owner, location, classification, support expiration date and recovery time requirements for each asset.

Incident response and business continuity management

A significant addition to the regulation is the requirement for a Business Continuity and Disaster Recovery plan, ensuring operational resilience in emergencies or disruptions unrelated to cyber security events. Covered entities will be required to create a written response plan designed to respond to and recover from a cyber security event. That incident response plan is supposed to address various areas including the internal processes for responding to an event.

Encryption and multi-factor authentication standards

The amendments mandate that encryption policies meet industry standards and specify situations in which multi-factor authentication is required, expanding its application.

The biggest addition to the MFA requirements is not what is required but who must follow them. Previously, those with a limited exemption were not required to comply with MFA requirements. However, that has changed. Those who qualify for a limited exemption will now be required to incorporate MFA into their security procedures.

Exemptions

The original regulation created a limited exemption for covered entities below a certain size in New York state. Those that qualified for the limited exemption only had to comply without nearly half of the regulation. The DFS not only kept the limited exemption but expanded it. This will likely mean more covered entities qualify for the limited exemption than in years past.

Enforcement and compliance certification

The enforcement section has been expanded to detail what constitutes a violation and the factors considered in assessing penalties.

Entities certifying compliance will now be required to keep, but not submit, detailed records demonstrating compliance with the regulation. Entities can now file a certification of noncompliance as well, outlining areas needing improvement and a remediation plan.

These amendments to 23 NYCRR 500 represent a substantial evolution in New York’s approach to cyber security regulation by emphasizing proactive risk management, stronger governance and enhanced operational resilience. Covered entities must carefully assess these changes to ensure compliance and protect the integrity of their cyber security infrastructure.

Additional resources

Remember: You need to prove you were in compliance with New York state’s cyber security regulations for 2023 by Monday, April 15, 2024. If you are licensed in New York state, this compliance needs to be completed each year.

Do you need help? PIA Northeast members can contact the PIA Industry Resource Center, which can offer step-by-step directions to make this process easier. Call (800) 424-4244 or email resourcecenter@pia.org.

Navigating the new landscape: Key changes to 23 NYCRR 500

Cyber series: Let’s talk about covered entities

Cyber series: Understanding the limited exemption for covered entities

Cyber series: What is a Class A company?

Available to PIA Northeast members: N.Y. cyber security regulation tool kit

Bradford J. Lachut, Esq.
PIA Northeast | + posts

Bradford J. Lachut, Esq., joined PIA as government affairs counsel for the Government & Industry Affairs Department in 2012 and then, after a four-month leave, he returned to the association in 2018 as director of government & industry affairs responsible for all legal, government relations and insurance industry liaison programs for the five state associations. Prior to PIA, Brad worked as an attorney for Steven J. Baum PC, in Amherst, and as an associate attorney for the law office of James Morris in Buffalo. He also spent time serving as senior manager of government affairs as the Buffalo Niagara Partnership, a chamber of commerce serving the Buffalo, N.Y., region, his hometown. He received his juris doctorate from Buffalo Law School and his Bachelor of Science degree in Government and Politics from Utica College, Utica, N.Y. Brad is an active Mason and Shriner.

Related stories…

Share This