On March 1, 2017, New York’s Department of Financial Services (DFS) enacted a regulation establishing what was then one of the most stringent cybersecurity measures in the country. The goal was to enhance cybersecurity governance, mitigate the risks of breach, and protect New York businesses, regulated entities and consumers from cyber threats. The regulations were codified at the New York Insurance Regulations, 23 NYCRR Part 500. Part 500 was first amended in April 2020 at the start of the Covid 19 Pandemic to change the date of the required annual certification filing from February 15 of each year to April 15.
As technology has increased and threat actors have become more sophisticated, persistent breaches have become more frequent. Therefore, Part 500 was broadly amended, effective on November 1, 2023. Among other things, the 2023 amendments imposed new controls, required more regular risk assessments, updated notification requirements to enhance protections to consumers, and provided clearer direction for companies to invest in, at a minimum, annual training and cybersecurity awareness programs that anticipated social engineering attacks.
The next phase will implement the final requirements of the amended Cybersecurity Regulation and will take effect as of November 1, 2025, when Covered Entities must comply with:
- Enhanced MFA Requirements (Section 500.12):  Covered Entities from the Small Business, Standard, and Class A categories must comply with enhanced multifactor authentication (“MFA”) requirements. Further, while there are limited exceptions, MFA will not be completed eliminated. Covered entities qualifying for a limited exemption pursuant to Section 500.19(a) – Small Businesses – must use MFA for remote access to their information systems, remote access to third-party applications, and all privileged accounts other than service accounts that prohibit interactive login. All other covered entities must utilize MFA for any individual accessing any information system of a Covered Entity.
- Asset Management (Section 500.13(a)): All Covered Entities must implement written policies and procedures to maintain a complete, accurate, and documented asset inventory of their information systems that includes, among other things, tracking ownership and location.
DFS continues to provide training and guidance on its website and has even created step-by-step instructions to submit either a Certificate of Material Compliance or an Acknowledgement of Noncompliance. Additional updates and guidance are available by emailing DFS’ internal Cybersecurity team at cyberregsupport@dfs.ny.gov, subscribing to Cybersecurity Updates, and visiting the DFS resource center for additional tools at the Cybersecurity Resource Center. Questions can also be directed to Cynthia Borrelli at Bressler, Amery & Ross, P.C.