Prior articles in the cyber series have concentrated on what it means to be a covered entity. This article discusses what covered entities must do to comply with New York’s cyber security regulation (23 NYCRR 500).
Understanding covered entities
Covered entities are broadly defined under 23 NYCRR Part 500 as any individual or organization operating under the authorization of the New York State Department of Financial Services. This includes a wide range of financial services, insurance companies, and banks. Recognizing whether your organization falls into this category is the first step toward compliance. More information about covered entities can be found here.
Understanding exemptions
Once you determine if your agency is a covered entity, the next step is to determine what type of covered entity your agency is. The size and profitability of a covered entity will determine exactly what it must do to be in compliance with the regulation. More information about exemptions can be found here.
Cybersecurity program and policy
At the heart of 23 NYCRR Part 500 is the mandate for covered entities to establish a robust cyber security program and policy. The requirements for each, covered in Sections 500.2 and 500.3, are symbiotic.
Covered entities are required to maintain a cyber security program designed to protect the entity’s information system. This program must not only protect the entity’s information systems, but also the private data they house. A comprehensive cyber security policy, documented and regularly updated, forms the backbone of this initiative, outlining the entity’s defense strategy against cyberthreats.
However, the cyber security program is just the physical manifestation of the practices and procedures developed in the cyber security policy. Covered entities must implement and maintain a written cyber security policy. That policy must be approved at least annually by a covered entities senior officer or the senior governing body. The regulation does specify that a covered entity’s cyber security policy must address several specific areas, including information security; data governance; security awareness and training; and vulnerability management. Both the cyber security policy and program are going to be based on the risk assessment a covered entity performs. Risk assessments will be addressed later in this article.
The chief information security officer
The regulation mandates the appointment of a chief information security officer, either in-house or outsourced. This pivotal role is tasked with overseeing the cyber security program, ensuring it meets the regulatory standards and is effective in mitigating potential cyber risks.
Covered entities are required to grant the CISO enough authority to ensure cyber risks are managed properly, which includes the ability to utilize different and sufficient resources to establish and maintain a cyber security program.
To go along with that authority, CISOs are required to make timely reports to a covered entity’s senior governing body on material cyber security issues, including updates to a risk assessment or major cyber security events, as well as plans for remediating any material inadequacies.
However, cyber compliance is not the sole responsibility of the CISO—a covered entity’s senior officer or senior governing body has ultimate oversight responsibility.
The senior governing body is required to have a sufficient understanding of cyber security related matters to exercise oversight.
Penetration testing and vulnerability assessments
As mentioned, all covered entities must address vulnerability management in their cyber security policy and program. Section 500.5 goes into greater detail of what that means. Covered entities are required at a minimum to conduct penetration testing of their information system. These tests can be conducted by internal staff or by a third-party, but they should occur from both inside and outside the information system.
In addition, communities must implement automated scans of the information system as well as a manual review of systems not covered by the scans to make sure that they are discovering, analyzing and reporting any vulnerabilities that may appear. These exercises are crucial in identifying weaknesses within the cyber security framework, allowing for timely remediation before they can be exploited by malicious actors.
Audit trails
Covered entities are required to maintain systems that allow for audit trails that are designed to allow a covered entity to respond and recover in the case of a cyber security event. Covered entities should be able to reconstruct any material financial transactions to support the normal operations and obligations and detect and respond to cyber security events.
Access privileges and management
Covered entities must take certain steps to restrict access privileges to their information system. Some of these steps include: limiting access to nonpublic information to only those necessary to perform their jobs; limiting the number of privileged accounts, as well as the access functions of those accounts to only those necessary; and reviewing (at least annually) all user access privileges to remove or disable accounts that are no longer necessary.
Application security
Covered entities with in-house developed applications are required to include written procedures guidelines and standards for the secure use of those applications. As with many requirements under the regulation, the application guidelines and standards should be reviewed at least annually by a covered entities CISO.
Risk assessment
Despite being found roughly halfway through the regulation, Section 500.9, which addresses risk assessments is perhaps the cornerstone of 23 NYCRR part 500.
Under this section, covered entities must evaluate their information system and the data they manage, identifying potential vulnerabilities and the likelihood of unauthorized access or data breaches. This is done by the performance of a risk assessment.
A covered entity’s risk assessment should encompass criteria to evaluate and categorize cyber security risks, assess the confidentiality, integrity, security, and availability of information systems and nonpublic information. It must also detail the methods for mitigating or accepting identified risks, based on the assessment findings, and outline how the cyber security program will tackle these risks.
A covered entity’s cyber security program and policy will be based on the risk assessment. These risk assessments must be completed at least annually.
Cyber security personnel and intelligence
Covered entities must use qualified cyber security personnel either as employees or a third party to manage the entity’s cyber security program and that personnel must remain educated. This requirement is in addition to the CISO requirements of Section 500.4.
Third-party service provider security policy
Creation of a third-party service provider security policy is another critical aspect of the regulation. It is also one that’s easy to miss as it is found about halfway through the regulation. Before getting into what is required of a third-party service provider security policy, it’s helpful to know what a third-party service provider is.
The regulation defines a third-party service provider to be: any person who provides to the covered entity and maintains, processes and/or has access to nonpublic information of the covered entity. Specifically excluded from the definition of third-party service provider are any affiliates of the covered entity, as well as government entities. Practical examples of third-party service providers to an insurance agency could include: insurance companies, agency management system vendors and even noninsurance related providers, such as accounting services or human resources.
With that out of the way let’s talk about what is required of a third-party service provider security policy.
Covered entities are required to develop and implement written policies and procedures aimed at securing information systems and nonpublic information managed by or accessible to third-party service providers. These policies and procedures should be rooted in the entity’s risk assessment and cover, as applicable, the identification and risk assessment of third-party service providers, the establishment of minimum cyber security practices for these providers, the due diligence processes for evaluating their cyber security measures, and the periodic evaluation of the providers based on the risks they pose and the adequacy of their cyber security practices.
Furthermore, these policies and procedures must include specific guidelines and contractual safeguards concerning third-party service providers, addressing aspects such as access controls and the use of multifactor authentication, among other requirements. Covered entities are responsible for doing their due diligence to ensure that third-party service providers incorporate the proper cyber security procedures. For that reason, covered entities are encouraged to audit their third-party service providers to determine their cyber security protections.
Multifactor authentication
Use of multifactor authentication has become an increasingly popular and common cyber security tool. So, it should come as no surprise to see that covered entities are required to utilize multifactor authentication as part of compliance with the regulation.
Multifactor authentication is required to be utilized for anyone accessing a covered entity’s information systems. There is a small exception if a covered entity employs a CISO. In those cases, the CISO has the authority to approve in writing the use of equivalent or more secure alternative measures, which must be periodically reviewed at least once a year.
Asset management and data retention requirements
As part of its comprehensive cyber security strategy, every covered entity is required to develop and adhere to detailed written policies and procedures aimed at establishing and preserving a thorough, accurate and well-documented inventory of its information system assets.
These guidelines must encompass a system for tracking vital details of each asset, such as its owner, location, classification or sensitivity level, support expiration date, and recovery time objectives. Examples of assets could include: company-issued computers, including lap tops, cell phones, and tablets.
Additionally, the policies should outline the frequency at which the asset inventory needs to be updated and verified. Alongside asset management, covered entities also are obligated to implement policies and procedures for the secure disposal of nonpublic information that is no longer necessary for business operations or lacks other legitimate business purposes.
Training and monitoring
Proper employee training and monitoring of information systems is critical to preventing cyber events. As such, covered entities are mandated to implement risk-based policies, procedures and controls. These measures should enable the monitoring of authorized users to detect any unauthorized access, use or tampering with nonpublic information.
Covered entities are required to establish controls aimed at protecting against malicious code. This includes mechanisms to scrutinize and filter web traffic and emails to prevent malicious content from breaching the system.
Covered entities also must conduct cyber security awareness training for all personnel at least annually. This training should cover social engineering tactics and be updated regularly to reflect the latest risks identified in the entity’s risk assessment.
Encryption of nonpublic information
Covered entities are required to adopt a written policy mandating the use of encryption, adhering to industry standards, to safeguard nonpublic information both in transit across external networks and when stored (at rest).
However, if a covered entity assesses that encrypting nonpublic information at rest is not practical, it is allowed to employ effective alternative compensating controls instead. These alternatives must be formally evaluated and approved in writing by the entity’s CISO.
Additionally, the decision regarding the feasibility of encryption and the efficacy of any compensating controls must be revisited and assessed by the CISO on an annual basis, ensuring that the protections remain robust and appropriate in the face of evolving cyber security threats.
Incident response plan
In the event of a cyber security event, a well-structured incident response plan is indispensable. Covered entities are required to create a written response plan designed to respond to and recover from a cyber security event. These plans should encompass incident response, business continuity and disaster recovery strategies.
Incident response plans are tailored to promptly address and recover from events that significantly jeopardize the information systems’ confidentiality, integrity or availability, or any critical business functions.
Business continuity and disaster recovery plans are designed to ensure the continuous availability of information systems and essential services, safeguarding personnel, assets and nonpublic information against cyber security disruptions.
These plans detail the identification of critical resources, supervisory roles, communication strategies during disruptions, recovery procedures for critical data and systems, data backup protocols and the involvement of necessary third parties.
Notification of cyber security events
There are several notification requirements that covered entities must be aware of.
First, covered entities are obligated to inform the superintendent of insurance electronically, through the New York State Department of Financial Service’s website, within 72 hours of identifying a cyber security incident affecting them, their affiliates, or third-party service providers. They also must provide any requested information about the incident and continue to update the superintendent of insurance with significant changes or newly available information.
Second, there is an annual notification requirement. Each year, by April 15, each covered entity must submit an electronic certification or acknowledgment to the superintendent of insurance. This submission confirms either compliance with the cyber security requirements during the previous year, supported by adequate documentation, or acknowledges noncompliance, detailing the unmet sections, the extent of noncompliance, and providing a remediation timeline or completion confirmation. Entities are required to retain all relevant records and documentation supporting their certification or acknowledgment for five years for potential review by the department.
Third, there is a notification requirement in cases of extortion payments related to cyber security events. In those cases, covered entities must notify the superintendent of insurance electronically within 24 hours of the extortion payment and, within 30 days, provide a detailed explanation of the reasons for the payment, alternatives considered, due diligence performed in exploring these alternatives, and efforts to ensure compliance with applicable regulations, including those of the Office of Foreign Assets Control.
The end
As you can see, compliance with 23 NYCRR Part 500 is a comprehensive process, demanding a holistic approach to cybersecurity. Covered entities are urged to conduct risk assessments regularly and to review and update their cyber security policies and procedures, ensuring they are in lockstep with the evolving cyber threat landscape.
As the digital landscape evolves, so too will the challenges and requirements for cyber security compliance. It is incumbent upon all covered entities, regardless of their exemption status, to stay informed, remain adaptable, and foster a culture of cyber security awareness within their organizations.
By doing so, they not only comply with regulations like 23 NYCRR Part 500, but they also contribute to the broader goal of securing our digital world against the ever-present threat of cyberattacks.
Additional resources
Remember: You need to prove you were in compliance with New York state’s cyber security regulations for 2023 by Monday, April 15, 2024. If you are licensed in New York state, this compliance needs to be completed each year.
Do you need help? PIA Northeast members can contact the PIA Industry Resource Center, which can offer step-by-step directions to make this process easier. Call (800) 424-4244 or email resourcecenter@pia.org.
Navigating the new landscape: Key changes to 23 NYCRR 500
Cyber series: Let’s talk about covered entities
Cyber series: Understanding the limited exemption for covered entities
Cyber series: Non-New York businesses advice
Cyber series: Compliance for covered entities
Cyber series: What is a Class A company?
Cyber series: Compliance for Class A companies
Available to PIA Northeast members: N.Y. cyber security regulation tool kit
Bradford J. Lachut, Esq.
Bradford J. Lachut, Esq., joined PIA as government affairs counsel for the Government & Industry Affairs Department in 2012 and then, after a four-month leave, he returned to the association in 2018 as director of government & industry affairs responsible for all legal, government relations and insurance industry liaison programs for the five state associations. Prior to PIA, Brad worked as an attorney for Steven J. Baum PC, in Amherst, and as an associate attorney for the law office of James Morris in Buffalo. He also spent time serving as senior manager of government affairs as the Buffalo Niagara Partnership, a chamber of commerce serving the Buffalo, N.Y., region, his hometown. He received his juris doctorate from Buffalo Law School and his Bachelor of Science degree in Government and Politics from Utica College, Utica, N.Y. Brad is an active Mason and Shriner.