New York Pushes For New Cybersecurity Requirements For Financial Services Companies
The Second Amendment will become effective once a Notice of Adoption is published in the New York State Registrar, and all covered entities will have anywhere between 30 days to two (2) years from the effective date to comply.
The full text of the Second Amendment may be found here. Generally speaking, the Second Amendment creates several new requirements concerning the special role of a covered entity’s Chief Information Security Officer and “senior governing body;” minimum required procedures for creating and undertaking cyber risk assessments; mandatory business continuity and disaster recovery plans; minimum requirements for various policies including written cybersecurity policies and “vulnerability management,” cybersecurity programs, use and access privileges and multi-factor authentication, and written policies and procedures regarding asset inventories; reporting requirements to the Superintendent under various circumstances; the assessment of penalties for noncompliance with the regulation, and other requirements.
If adopted, the Second Amendment will apply to covered entities regardless of whether other government agencies also regulate the entities. This may create compliance hurdles for entities licensed in multiple states having different or sometimes contrary cybersecurity requirements applicable to financial services companies.
While the Second Amendment affects “covered entities,” some amendments specifically apply to “Class A companies,” which are generally defined as those covered entities having at least $20M in gross annual revenue in New York State and either more than 2,000 employees or more than $1B in yearly gross revenue from all business operations. For example, if adopted, the Second Amendment would require such companies to conduct an independent audit of cybersecurity programs at least annually; monitor privileged access activity and implement a privileged access management solution; implement an endpoint detection and response solution; and perform other requirements.
The Second Amendment also significantly expands the requirement for the annual certification of compliance which almost every licensee — even if exempt from compliance with certain other provisions of the DFS cybersecurity regulation as a “small business” — must annually file with the DFS by April 15. (Only brokers who do not control any IT system, do not hold any nonpublic information, and who have not placed coverage for anyone for at least a year would be exempt from compliance with all of the regulation.) If the licensee is unable to certify full compliance with all applicable provisions of Part 500 in the prior calendar year, then the licensee must detail the nature and extent of the licensee’s noncompliance and provide a remediation plan and timeline for implementation of the remediation plan.
New York remains the only state which requires virtually every single licensee of the DFS, no matter how small their operation, to file an annual certification of compliance or, if the Second Amendment is adopted, an acknowledgment of noncompliance. The Insurance Data Security Model Act issued by the National Association of Insurance Commissioners — which 20 states have adopted — only requires that domestic insurers file annual certifications of compliance.
The DFS memo accompanying the Second Amendment states that it is not final and that the DFS will consider additional comments if submitted by Monday, August 14, before publishing the final amended version. Our Insurance industry team stands ready to answer any questions clients may have about the Second Amendment or, more generally, about compliance with Part 500 and/or other DFS regulations or the New York Insurance Law.
Contacts
- Related Industries