PIA Northeast published a seven-part series earlier this year that dove into the intricacies of the amended cyber security legislation in New York state. One article discussed the expansion of the entities that fall under the limited exemption for covered entities.
As a follow-up to this series, there is another compliance deadline for New York State Department of Financial Services-licensed individual producers, mortgage loan originators, and other businesses that qualify for such exemptions under Sections 500.19 (a), (c), and (d) of the amended Cybersecurity Regulation that is fast approaching.
As of Friday, Nov. 1, 2024, it is required by the regulation that the above group has:
- Implemented multifactor authentication requirements outlined in Section 500.12(a) if you have not already done so, and
- Provided all personnel at the business at least annual cyber security awareness training pursuant to Section 500.14(a)(3).
Please note that these actions are not required for Covered Entities that qualify for 500.19(c) and (d) exemptions. 500.19(c) exemptions apply to entities that do not maintain nonpublic information and 500.19(d) exemptions apply to captive insurers.
As explored in the cyber security regulation series, the 2023 amendment significantly changed who was required to follow the MFA requirements. Previously, those with a limited exemption were not required to comply with them. However, now those who qualify for a limited exemption are required to incorporate MFA into their security procedures.
What is multifactor authentication?
Multifactor authentication is a layered approach to securing physical and logical access where a system requires a user to present a combination of two or more different authenticators to verify a user’s identity for login. Implementing MFA makes it more difficult for a threat actor to gain access to business premises and information systems, such as remote access technology, email, and billing systems, even if passwords or personal identification numbers are compromised through phishing attacks or other means. MFA essentially adds an extra layer of protection.
The benefits of annual cyber security training
The annual requirement for cyber security training is meant to help keep employees informed about the latest cyberthreats, helping them recognize phishing attempts and other security risks. Training can encourage safer online behaviors, as educated employees are less likely to fall victim to cyberattacks, thus reducing the overall risk to any organization. Additionally, cyber security training prepares employees to respond effectively in the event of a security incident, minimizing damage and recovery time, and can even foster a culture in which employees feel responsible for protecting company data. Please note that the cyber security training must also now include content on social engineering.
Next steps
If you are unsure about whether an exemption applies to your situation, you can use the DFS’s exemption eligibility guide to determine whether an individual licensee or other covered entity qualifies for a full or limited exemption from the DFS’s cyber security regulation.
For more information on the amended cyber security regulation, you can review PIA’s N.Y. cyber security regulation tool kit and/or the NY cyber security regulation compliance checklist–limited exemption entities.
Danielle Caswell, Esq.
Danielle Caswell joined PIA Northeast as associate counsel in the Government & Industry Affairs Department in 2023. She earned her bachelor’s degree from New York University and her law degree from Brooklyn Law School with a particular focus on intellectual property, information, and media law. Prior to joining PIA, Danielle was an associate at a law firm in New York City where she focused primarily on intellectual property and entertainment-related transactional and litigation matters.