Beginning Thursday, May 1, 2025, the next wave of cyber security compliance requirements under the amended New York State Department of Financial Services’ regulation (23 NYCRR 500) will go into effect. These rules will apply differently depending on your exemption status and whether you qualify as a Class A company.
Below is a breakdown of the requirements by entity type:
All covered entities (including individual licensees)
Access privileges and management—Section 500.7
Every covered entity, as part of its cyber security program and based on its risk assessment must do the following:
- Limit user access privileges to only those necessary for job duties.
- Restrict and manage the number and functions of privileged accounts.
- Limit use of privileged accounts to functions that require such access.
- Annually review user access privileges and remove/disable any unnecessary accounts.
- Disable or securely configure all remote-control protocols.
- Promptly terminate user access upon personnel departures.
- Implement a written password policy that meets industry standards (if passwords are used).
Nonexempt covered entities (those without a limited or full exemption under Section 500.19)
Vulnerability management—Section 500.5(a)(2)
- Conduct automated scans of information systems and manual reviews of systems not covered by such scans.
- Frequency of scans must be based on your risk assessment and occur promptly after material system changes.
Malicious code protection—Section 500.14(a)(2)
- Implement risk-based controls to guard against malicious code, including solutions that monitor and filter web traffic and email to block malicious content.
Class A companies (as defined in Section 500.1(d))
In addition to all the requirements above, Class A companies also must:
Privileged Access Oversight—Section 500.7(c)
- Monitor privileged access activity.
- Implement a privileged access management solution.
- Use an automated method to block commonly used passwords across owned or controlled systems.
- If infeasible, the chief information security officer may approve compensating controls in writing, at least annually.
Advanced threat detection—Section 500.14(b)
- Deploy an endpoint detection and response solution to detect anomalous activity, including lateral movement.
- Implement a centralized logging and security event-alerting solution.
- Reasonably equivalent or more secure compensating controls may be approved in writing by the CISO.
Compliance deadline: Thursday, May 1, 2025
All applicable requirements must be implemented by this date.
Need assistance?
Contact PIA’s Industry Resource Center at resourcecenter@pia.org.
Shirley Albright, CPIA, CISR
Shirley Albright, CPIA, CISR, joined PIA in 1983 and has worked in many facets of the association over the years. In 1995, she was an integral part of establishing the Industry Resource Center to include the development of the software system to record and track all incoming and outgoing inquiries. She quickly moved from industry resource representative to assistant director and eventually to her current position as director. Currently, Shirley oversees the daily operations of the Industry Resource Center to include the triage of thousands of incoming member inquiries. Her other accomplishments include obtaining her New York state property/casualty broker’s license, CPIA and CISR designations.
