Beginning Thursday, May 1, 2025, the next wave of cyber security compliance requirements under the amended New York State Department of Financial Services’ regulation (23 NYCRR 500) will go into effect. These rules will apply differently depending on your exemption status and whether you qualify as a Class A company.
Below is a breakdown of the requirements by entity type:
All covered entities (including individual licensees)
Access privileges and management—Section 500.7
Every covered entity, as part of its cyber security program and based on its risk assessment must do the following:
- Limit user access privileges to only those necessary for job duties.
- Restrict and manage the number and functions of privileged accounts.
- Limit use of privileged accounts to functions that require such access.
- Annually review user access privileges and remove/disable any unnecessary accounts.
- Disable or securely configure all remote-control protocols.
- Promptly terminate user access upon personnel departures.
- Implement a written password policy that meets industry standards (if passwords are used).
Nonexempt covered entities (those without a limited or full exemption under Section 500.19)
Vulnerability management—Section 500.5(a)(2)
- Conduct automated scans of information systems and manual reviews of systems not covered by such scans.
- Frequency of scans must be based on your risk assessment and occur promptly after material system changes.
Malicious code protection—Section 500.14(a)(2)
- Implement risk-based controls to guard against malicious code, including solutions that monitor and filter web traffic and email to block malicious content.
Class A companies (as defined in Section 500.1(d))
In addition to all the requirements above, Class A companies also must:
Privileged Access Oversight—Section 500.7(c)
- Monitor privileged access activity.
- Implement a privileged access management solution.
- Use an automated method to block commonly used passwords across owned or controlled systems.
- If infeasible, the chief information security officer may approve compensating controls in writing, at least annually.
Advanced threat detection—Section 500.14(b)
- Deploy an endpoint detection and response solution to detect anomalous activity, including lateral movement.
- Implement a centralized logging and security event-alerting solution.
- Reasonably equivalent or more secure compensating controls may be approved in writing by the CISO.
Compliance deadline: Thursday, May 1, 2025
All applicable requirements must be implemented by this date.
Need assistance?
Contact PIA’s Industry Resource Center at resourcecenter@pia.org.
Shirley Albright, CPIA, CISR
Shirley Albright, CPIA, CISR, has been a cornerstone of PIA since joining the association in 1983. Over the decades, she has contributed meaningfully across numerous departments, demonstrating unwavering dedication and leadership. In 1995, Shirley played a pivotal role in launching the Industry Resource Center, where she led the development of a comprehensive software system designed to log and manage all incoming and outgoing member inquiries—an innovation that transformed the center’s operational efficiency. As director of the Industry Resource Center, Shirley oversees the center’s daily operations, including the triage and resolution of thousands of member inquiries and multiple database updates, ensuring timely and accurate support across the organization. Her industry accomplishments include earning her New York state property/casualty broker’s license and has obtaining the CPIA and CISR professional designations, underscoring her deep expertise and commitment to excellence in the insurance industry.
