Cyber series: Compliance for Class A Companies

Prior articles in the cyber series have concentrated on what it means to be a covered entity. This article transitions into a discussion about what covered entities must do to be in compliance with New York state’s cybersecurity regulation (23 NYCRR 500).

This guidance below is designed for those covered entities that are considered Class A companies:

Guidance for covered entities can be found here.

Guidance for limited-exempt covered entities can be found here.

Understanding covered entities

Under 23 NYCRR Part 500, covered entities are broadly defined as any individual or organization operating under the authorization of the New York State Department of Financial Services. This includes a wide range of financial services, insurance companies and banks.

Recognizing whether your organization falls into this category is the first step toward compliance. More information about covered entities can be found here.

Understanding exemptions

Once you determine if your agency is a covered entity the next step is to determine what type of covered entity it is. The size and profitability of a covered entity will determine exactly what it must do to be in compliance with the regulation. More information about exemptions can be found here.

Understanding Class A Companies

When New York state’s cybersecurity regulation (23 NYCRR 500) was amended at the end of 2023, it included the creation of a new type of covered entity referred to as Class A companies. Because of their size, these companies are required to go above and beyond what regular covered entities are required to do under the regulation.

More information on Class A Companies can be found here.

Cyber security program and policy

At the heart of 23 NYCRR Part 500 is the mandate for Class A Companies to establish a robust cyber security program and policy. The requirements covered in Sections 500.2 and 500.3, respectively, are symbiotic.

Class A Companies are required to maintain a cyber security program designed to protect the entity’s information system. This program must not only protect the entity’s information systems but also the private data it houses. A comprehensive cyber security policy, documented and regularly updated, forms the backbone of this initiative, outlining the entity’s defense strategy against cyberthreats.

However, the cyber security program is just the physical manifestation of the practices and procedures developed in the cyber security policy. Class A Companies must implement and maintain a written cyber security policy. That policy must be approved at least annually by a Class A Company’s senior officer or the senior governing body. The regulation does specify that a Class A Company’s cyber security policy must address several specific areas, including: information security; data governance; security awareness and training; and vulnerability management.

Each Class A Company is required to conduct independent audits of its cyber security program.

Both the cyber security policy and program are going to be based on the risk assessment a Class A Company performs. Risk assessments will be addressed later in this article.

Chief information security officer

The regulation mandates the appointment of a chief information security officer, either in-house or outsourced. This pivotal role is tasked with overseeing the cyber security program, ensuring it meets the regulatory standards and is effective in mitigating potential cyber risks.

Class A Companies are required to grant the CISO enough authority to ensure cyber risks are managed properly, which includes the ability to utilize different and sufficient resources to establish and maintain a cyber security program.

To go along with that authority, CISOs are required to make timely reports to a Class A Company’s senior governing body on material cyber security issues, including updates to a risk assessment or major cyber security events, as well as plans for remediating any material inadequacies.

Cybercompliance is not the sole responsibility of the CISO though, a Class A Company’s senior officer or senior governing body has ultimate oversight responsibility. The senior governing body is required to have a sufficient understanding of cyber security-related matters to exercise oversight.

Penetration testing and vulnerability assessments

As mentioned, all Class A Companies must address vulnerability management in their cyber security policy and program. Section 500.5 goes into greater detail of what that means.

At a minimum, Class A Companies are required to conduct penetration testing of their information system. These tests can be conducted by internal staff or by a third party, but they should occur from both inside and outside the information system. In addition, communities must implement automated scans of the information system, as well as a manual review of systems not covered by the scans to make sure that they are discovering analyzing and reporting any vulnerabilities that may appear. These exercises are crucial in identifying weaknesses within the cyber security framework, allowing for timely remediation before they can be exploited by malicious actors.

Class A Companies are required to enhance their cyber security measures by monitoring privileged access activity. This involves the implementation of two key strategies:

1. adopting a privileged access management solution to control and monitor privileged user activities, and
2. deploying an automated system to block commonly used passwords for all accounts on systems they own or control—and where possible—on all other accounts.

If blocking commonly used passwords is deemed infeasible, the company’s CISO must provide written approval, at least annually, for an alternative approach to secure account access.

Audit trails

Class A Companies are required to maintain systems that allow for audit trails that are designed to allow a Class A Company to respond and recover in the case of a cyber security event. Class A Companies should be able to reconstruct any material financial transactions to support the normal operations and obligations, as well as be able to detect and respond to cyber security events.

Access privileges and management

Class A Companies must take certain steps to restrict access privileges to their information system. Some of these steps include:

• limiting access to nonpublic information to only those necessary to perform their jobs,
• limiting the number of privileged accounts, as well as the access functions of those accounts to only those necessary,
• reviewing—at least annually—all user access privileges to remove or disable accounts that are no longer necessary.

Application security

Class A Companies with in-house developed applications are required to include written procedures guidelines and standards for the secure use of those applications. As with many requirements under the regulation, the application guidelines and standards should be reviewed at least annually by a Class A Company’s CISO.

Risk assessment

Despite being found roughly halfway through the regulation, Section 500.9, which addresses risk assessments is perhaps the cornerstone of 23 NYCRR part 500.

Under this section, Class A Companies must evaluate their information system and the data they manage, identifying potential vulnerabilities and the likelihood of unauthorized access or data breaches. This is done to the performance of a risk assessment.

A Class A Company’s risk assessment should encompass criteria to evaluate and categorize cyber security risks, assess the confidentiality, integrity, security and availability of information systems and nonpublic information. It also must detail the methods for mitigating or accepting identified risks, based on the assessment findings and outline how the cyber security program will tackle these risks.

A Class A Company’s cyber security program and policy will be based on the risk assessment. These risk assessments must be completed at least annually.

Cyber security personnel and intelligence

Class A Companies are required to utilize qualified cyber security personnel—either in the form of employees or a third-party—to manage the entity’s cyber security program and that personnel remain educated. This requirement is in addition to the CISO requirements of Section 500.4.

Third-party service provider security policy

Creation of a third-party service provider security policy is another critical aspect of the regulation. It is also one that’s easy to miss as it is found about halfway through the regulation. Before getting into what is required of a third-party service provider security policy, it’s helpful to know what a third-party service provider is.

The regulation defines a third-party service provider to be any person that provides to the Class A Company and maintains, processes and/or has access to nonpublic information of the Class A Company. Specifically excluded from the definition of third-party service provider is any affiliates of the Class A Company as well as government entities.

Practical examples of third-party service providers to an insurance agency could include insurance companies, agency management system vendors, and even non-insurance related providers (e.g., accounting or human resources).

With that out of the way, let’s talk about what is required of a third-party service provider security policy.

Class A Companies are required to develop and implement written policies and procedures aimed at securing information systems and nonpublic information managed by or accessible to third-party service providers. These policies and procedures should be rooted in the entity’s risk assessment and cover, as applicable, the identification and risk assessment of third-party service providers, the establishment of minimum cyber security practices for these providers, the due diligence processes for evaluating their cyber security measures and the periodic evaluation of the providers based on the risks they pose and the adequacy of their cyber security practices.

Furthermore, these policies and procedures must include specific guidelines and contractual safeguards concerning third-party service providers, addressing aspects such as: access controls and the use of multifactor authentication, among other requirements.

Class A Companies are responsible for doing their due diligence to ensure that third-party service providers do incorporate the proper cyber security procedures. For that reason, Class A Companies are encouraged to audit their third-party service providers to determine their cyber security protections.

Multifactor authentication

Use of multifactor authentication has become an increasingly popular and common cyber security tool. So, it should come as no surprise to see that Class A Companies are required to utilize multifactor authentication as part of compliance with the regulation.

Multifactor authentication is required to be utilized by anyone accessing a Class A Company’s information system. There is a small exception if a Class A Company employs a CISO. In those cases, the CISO has the authority to approve in writing the use of reasonably equivalent or more secure alternative measures, which must be periodically reviewed at least once a year.

Asset management and data retention requirements

As part of its comprehensive cyber security strategy, every Class A Company is required to develop and adhere to detailed written policies and procedures aimed at establishing and preserving a thorough, accurate and well-documented inventory of its information systems assets.

These guidelines must encompass a system for tracking vital details of each asset, such as its owner, location, classification or sensitivity level, support expiration date and recovery time objectives. Additionally, the policies should outline the frequency at which the asset inventory needs to be updated and verified.

Alongside asset management, Class A Companies also are obligated to implement policies and procedures for the secure disposal of nonpublic information that is no longer necessary for business operations or lacks other legitimate business purposes.

Training and monitoring

Proper training of employees, as well as monitoring of information systems is critical to preventing cyber security events. As such, Class A Companies are mandated to implement risk-based policies, procedures and controls with multiple objectives.

These measures should enable the monitoring of authorized users to detect any unauthorized access, use or tampering with nonpublic information. Class A Companies are required to establish controls aimed at protecting against malicious code. This includes mechanisms to scrutinize and filter web traffic and emails to prevent malicious content from breaching the system.

Class A Companies also must conduct cyber security awareness training for all personnel at least annually. This training should cover social engineering tactics and be updated regularly to reflect the latest risks identified in the entity’s risk assessment.

Finally, Class A Companies also are required to implement an endpoint detection and response solution to monitor unusual activity and a solution that centralizes logging and security event alerting.

Encryption of nonpublic information

Class A Companies are required to adopt a written policy mandating the use of encryption, adhering to industry standards, to safeguard nonpublic information both in transit across external networks and when stored (at rest). However, if a Class A Company assesses that encrypting nonpublic information at rest is not practical, it is allowed to employ effective alternative compensating controls instead.

These alternatives must be formally evaluated and approved in writing by the entity’s CISO. Additionally, the decision regarding the feasibility of encryption and the efficacy of any compensating controls must be revisited and assessed by the CISO on an annual basis, ensuring that the protections remain robust and appropriate in the face of evolving cyber security threats.

Incident response plan

In the event of a cyber security event, a well-structured incident response plan is indispensable. Class A Companies are required to create a written response plan designed to respond to and recover from a cyber security event. These plans should encompass incident response, business continuity and disaster recovery strategies.

Incident response plans are tailored to promptly address and recover from events that significantly jeopardize the information systems’ confidentiality, integrity, availability or any critical business functions.

Business continuity and disaster recovery plans are designed to ensure the continuous availability of information systems and essential services, safeguarding personnel, assets and nonpublic information against cyber security disruptions. These plans detail the identification of critical resources, supervisory roles, communication strategies during disruptions, recovery procedures for critical data and systems, data backup protocols and the involvement of necessary third parties.

Notification of cyber security events

There are several notification requirements that Class A Companies must be aware of:

First, Class A Companies are obligated to inform the superintendent of insurance electronically, through the DFS’s website, within 72 hours of identifying a cyber security incident affecting them, their affiliates or third-party service providers. They also must provide any requested information about the incident and continue to update the superintendent of insurance with significant changes or newly available information.

Second, there is an annual notification requirement. Each year, by April 15, each Class A Company must submit an electronic certification or acknowledgment to the superintendent of insurance. This submission confirms either compliance with the cyber security requirements during the previous year, supported by adequate documentation or acknowledges noncompliance, detailing the unmet sections, the extent of noncompliance and providing a remediation timeline or completion confirmation. Entities are required to retain all relevant records and documentation supporting their certification or acknowledgment for five years for potential review by the department.

Finally, in cases of extortion payments related to cyber security events, Class A Companies must notify the superintendent of insurance electronically within 24 hours of the payment and, within 30 days, provide a detailed explanation of the reasons for the payment, alternatives considered, due diligence performed in exploring these alternatives and efforts to ensure compliance with applicable regulations, including those of the Office of Foreign Assets Control.

The end

As you can see, compliance with 23 NYCRR Part 500 is a comprehensive process, demanding a holistic approach to cybersecurity.

Class A Companies are urged to conduct risk assessments regularly and review and update their cyber security policies and procedures, ensuring they are in lockstep with the evolving cyberthreat landscape. The path to compliance is ongoing, requiring vigilance, commitment and a proactive stance toward safeguarding sensitive information.

Additional resources

Remember: You need to prove you were in compliance with New York state’s cyber security regulations for 2023 by Monday, April 15, 2024. If you are licensed in New York state, this compliance needs to be completed each year.

Do you need help? PIA Northeast members can contact the PIA Industry Resource Center, which can offer step-by-step directions to make this process easier. Call (800) 424-4244 or email resourcecenter@pia.org.

Navigating the new landscape: Key changes to 23 NYCRR 500

Cyber series: Let’s talk about covered entities

Cyber series: Understanding the limited exemption for covered entities

Cyber series: Non-New York businesses advice

Cyber series: Compliance for covered entities

Cyber series: What is a Class A company?

Cyber series: Compliance for Class A companies

Available to PIA Northeast members: N.Y. cyber security regulation tool kit