Prior articles in the cyber series have concentrated on what it means to be a covered entity. This article transitions into discussing what covered entities that qualify for a limited exemption must do to comply with New York’s cyber security regulation (23 NYCRR 500).
Guidance for nonexempt covered entities can be found here.
Understanding covered entities
Covered entities are broadly defined under 23 NYCRR Part 500 as any individual or organization operating under the authorization of the New York State Department of Financial Services. This includes a wide range of financial services, insurance companies, and banks. Recognizing whether your organization falls into this category is the first step toward compliance. More information about covered entities can be found here.
Understanding exemptions
Once you determine if you are a covered entity the next step is to determine what type of covered entity you are. The size and profitability of a covered entity will determine exactly what it must do to be in compliance with the regulation. More information about exemptions can be found here.
It is important to note that the limited exemption is just that, limited. It is not a total exemption. While those covered entities that qualify for limited exemption will find that they must comply with less of the regulation than a nonexempt covered entity, they are still subject to significant portions of the regulation.
Cyber security program and policy
At the heart of 23 NYCRR Part 500 is the mandate for covered entities to establish a robust cyber security program and policy. The requirements covered in Sections 500.2 and 500.3 address are symbiotic. Covered entities are required to maintain a cyber security program designed to protect the entity’s information system. This program must not only protect the entity’s information systems, but it must also protect the private data it houses. A comprehensive cyber security policy—documented and regularly updated—forms the backbone of this initiative, outlining the entity’s defense strategy against cyberthreats.
However, the cyber security program is just the physical manifestation of the practices and procedures developed in the cyber security policy. Covered entities must implement and maintain a written cyber security policy. That policy must be approved at least annually by a covered entities senior officer or the senior governing body. The regulation does specify that a covered entity’s cyber security policy must address several specific areas including information security; data governance; security awareness and training; and vulnerability management.
Both the cyber security policy and program are going to be based on the risk assessment a covered entity performs. Risk assessments will be addressed later in this article.
Access privileges and management
Covered entities must take certain steps to restrict access privileges to their information system. Some of these steps include: limiting access to nonpublic information to only those necessary to perform their jobs; limiting the number of privileged accounts, as well as the access functions of those accounts to only those necessary; and reviewing (at least annually) all user access privileges to remove or disable accounts that are no longer necessary.
Risk assessment
Despite being found roughly halfway through the regulation, Section 500.9, which addresses risk assessments is perhaps the cornerstone of 23 NYCRR part 500.
Under this section, covered entities must evaluate their information system and the data they manage, identifying potential vulnerabilities and the likelihood of unauthorized access or data breaches. This is done to the performance of a risk assessment. A covered entity’s risk assessment should encompass criteria to evaluate and categorize cyber security risks, assess the confidentiality, integrity, security and availability of information systems and nonpublic information. It also must detail the methods for mitigating or accepting identified risks, based on the assessment findings, and outline how the cyber security program will tackle these risks.
A covered entity’s cyber security program and policy will be based on the risk assessment. These risk assessments must be completed at least annually.
Third-party service provider security policy
Creation of a third-party service provider security policy is another critical aspect of the regulation. It is also one that’s easy to miss—as it is found about halfway through the regulation. Before getting into what is required of a third-party service provider security policy, it’s helpful to know what a third-party service provider is.
The regulation defines a third-party service provider to be any person who provides to the covered entity and maintains, processes and/or has access to nonpublic information of the covered entity. Specifically excluded from the definition of third-party service provider is any affiliates of the covered entity, as well as government entities. Practical examples of third-party service providers to an insurance agency could include: insurance companies, agency management system vendors, and even noninsurance-related providers, such as accounting or human resources.
With that out of the way let’s talk about what is required of a third-party service provider security policy.
Covered entities are required to develop and implement written policies and procedures aimed at securing information systems and nonpublic information managed by or accessible to third-party service providers. These policies and procedures should be rooted in the entity’s risk assessment and cover, as applicable, the identification and risk assessment of third-party service providers, the establishment of minimum cyber security practices for these providers, the due-diligence processes for evaluating their cyber security measures, and the periodic evaluation of the providers based on the risks they pose and the adequacy of their cyber security practices.
Furthermore, these policies and procedures must include specific guidelines and contractual safeguards concerning third-party service providers, addressing aspects such as access controls and the use of multifactor authentication, among other requirements. Covered entities are responsible for doing their due diligence to ensure that third-party service providers do incorporate the proper cyber security procedures. For that reason, covered entities are encouraged to audit their third-party service providers to determine their cyber security protections.
Multifactor authentication
All covered entities are required to utilize multifactor authentication in some fashion for any individual accessing the covered entity’s information system. However, those covered entities that qualify for the limited exemption are not required to utilize multifactor for all logins. Instead, MFA is required in three specific instances:
- for remote access to the covered entities information system;
- for remote access to third-party applications, including those that are cloud based; and
- for all privileged accounts other than service accounts that prohibit interactive login.
Asset management and data retention requirements
As part of its comprehensive cyber security strategy, every covered entity is required to develop and adhere to detailed written policies and procedures aimed at establishing and preserving a thorough, accurate and well-documented inventory of its information systems assets.
These guidelines must encompass a system for tracking vital details of each asset, such as its owner, location, classification or sensitivity level, support expiration date, and recovery time objectives.
Additionally, the policies should outline the frequency at which the asset inventory needs to be updated and verified. Alongside asset management, covered entities also are obligated to implement policies and procedures for the secure disposal of nonpublic information that is no longer necessary for business operations or lacks other legitimate business purposes.
Training and monitoring
Covered entities that qualify for the limited exemption are excluded from most of the monitoring and training requirements found in section 500.14. However, limited exempt entities are required to conduct cyber security awareness training for all personnel at least annually. This training should cover social engineering tactics and be updated regularly to reflect the latest risks identified in the entity’s risk assessment.
Notification of cyber security events
There are several notification requirements that covered entities must be aware of.
First, covered entities are obligated to inform the superintendent of insurance electronically, through the DFS’s website, within 72 hours of identifying a cyber security incident affecting them, their affiliates, or third-party service providers. They also must provide any requested information about the incident and continue to update the superintendent of insurance with significant changes or newly available information.
Second, there is an annual notification requirement. Each year, by April 15, each covered entity must submit an electronic certification or acknowledgment to the superintendent of insurance. This submission confirms either compliance with the cyber security requirements during the previous year, supported by adequate documentation, or acknowledges noncompliance, detailing the unmet sections, the extent of noncompliance, and providing a remediation timeline or completion confirmation. Entities are required to retain all relevant records and documentation supporting their certification or acknowledgment for five years for potential review by the department.
Third, there is a notification requirement in cases of extortion payments related to cyber security events. In those cases, covered entities must notify the superintendent of insurance electronically within 24 hours of the payment and, within 30 days, provide a detailed explanation of the reasons for the payment, alternatives considered, due diligence performed in exploring these alternatives, and efforts to ensure compliance with applicable regulations, including those of the Office of Foreign Assets Control.
The end
As the digital landscape evolves, so too will the challenges and requirements for cyber security compliance. It is incumbent upon all covered entities, regardless of their exemption status, to stay informed, remain adaptable, and foster a culture of cyber security awareness within their organizations.
By doing so, they not only comply with regulations like 23 NYCRR Part 500, but they also contribute to the broader goal of securing our digital world against the ever-present threat of cyberattacks.
Remember, compliance is not a one-time achievement, but a continuous journey. The resources and insights shared in this series are designed to equip you with the knowledge to navigate this journey successfully.
Let’s move forward with the confidence that comes from understanding our obligations, the commitment to fulfilling them, and the collective effort to safeguard the digital ecosystem we all rely on.
Additional resources
Remember: You need to prove you were in compliance with New York state’s cyber security regulations for 2023 by Monday, April 15, 2024. If you are licensed in New York state, this compliance needs to be completed each year.
Do you need help? PIA Northeast members can contact the PIA Industry Resource Center, which can offer step-by-step directions to make this process easier. Call (800) 424-4244 or email resourcecenter@pia.org.
Navigating the new landscape: Key changes to 23 NYCRR 500
Cyber series: Let’s talk about covered entities
Cyber series: Understanding the limited exemption for covered entities
Cyber series: Compliance for limited exempt entities
Cyber series: What is a Class A company?
Cyber series: Compliance for Class A Companies
Cyber series: Compliance for covered entities
Available to PIA Northeast members: N.Y. cyber security regulation tool kit
Bradford J. Lachut, Esq.
Bradford J. Lachut, Esq., joined PIA as government affairs counsel for the Government & Industry Affairs Department in 2012 and then, after a four-month leave, he returned to the association in 2018 as director of government & industry affairs responsible for all legal, government relations and insurance industry liaison programs for the five state associations. Prior to PIA, Brad worked as an attorney for Steven J. Baum PC, in Amherst, and as an associate attorney for the law office of James Morris in Buffalo. He also spent time serving as senior manager of government affairs as the Buffalo Niagara Partnership, a chamber of commerce serving the Buffalo, N.Y., region, his hometown. He received his juris doctorate from Buffalo Law School and his Bachelor of Science degree in Government and Politics from Utica College, Utica, N.Y. Brad is an active Mason and Shriner.