LOG IN / GET STARTED
Log In

Entities Licensed in New York have New Cybersecurity Requirement

New York Insurance Law licensees must now report cybersecurity incidents with third-party providers to the New York Department of Financial Services (DFS) within 72 hours of discovery.

SHARE:

Published: 02.29.2024

Effective December 1, 2023, a modification to 23 NYCRR Part 500, known as the 'Cybersecurity Regulation,' took effect. Entities and individuals licensed under the New York Insurance Law, must notify the New York Department of Financial Services (“DFS”) within 72 hours upon discovery of a cybersecurity incident involving a third-party service provider. This enhancement to the notice requirement specifically addresses third-party service provider breaches.
 

Overview 23 NYCRR Part 500

On March 1, 2017, DFS implemented the Cybersecurity Regulation, setting forth cybersecurity standards applicable to various entities and individuals mandated to hold licenses under the New York Insurance Law. The regulation underwent multiple amendments over the years with the most recent amendment occurring in November 2023. Under the cybersecurity law, covered entities are defined as insurance agents, producers, and brokers licensed, or required to be licensed, for the sale of life and health insurance in New York. This most recent amendment requires covered entities to timely report cybersecurity incidents to DFS.

What is the new definition of a cybersecurity incident?
The Amendment changes the definition of a cybersecurity incident. Newly defined under Section 500.17, a cybersecurity incident is an event that has occurred at the Covered Entity, its affiliates, or a third-party service provider that:
  1. impacts the Covered Entity and requires the Covered Entity to notify any government body, self-regulatory agency or any other supervisory body;
  2. has a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity; or
  3. results in the deployment of ransomware within a material part of the Covered Entity’s information systems.
Notification of Cybersecurity Incident
Each covered entity is required to notify the superintendent electronically in the form set forth on the department’s website as promptly as possible but in no event later than 72 hours after determining that a cybersecurity incident has occurred at the covered entity, its affiliates, or a third-party service provider.
 
A breach at a carrier or third-party administrator is considered a cybersecurity incident under the regulation. Therefore, covered entities must promptly notify DFS of the incident even if the third-party service provider also provides notice to DFS. In the event DFS requires additional information, covered entities are required to promptly provide to DFS updates or material changes including information that may not have been previously available.

Notification of Extortion Payment
Under the Amendment, in the event of an extortion payment made in connection with a cybersecurity event involving the covered entity, the covered entity must:
  1. notify DFS within 24 hours of any extortion payment made; and
  2. within 30 days of a payment, provide a written description of the reasons payment was necessary, alternatives to payment considered, diligence performed to find alternatives to payment and to ensure compliance with applicable regulations, including those of the Office of Foreign Assets Control.
Notice of Compliance
Beginning April 15, 2024, then annually thereafter, Covered Entities must electronically submit either a certification of compliance or acknowledgement of non-compliance with Part 500.
In the event of non-compliance, the Covered Entity must include in its written statement:
  1. acknowledgement that, for the prior calendar year, the Covered Entity did not materially comply with all the requirements of Part 500;
  2. identify all sections of the Cybersecurity Regulation that the Covered Entity has not materially complied with and describe the nature and extent of such noncompliance; and
  3. provide a remediation timeline or confirmation that remediation has been completed.
The Notice of Compliance or acknowledgement of non-compliance must be submitted to DFS electronically using the form provided on the department’s website. The forms must include the signatures of both the Covered Entity's highest-ranking executive and its Chief Information Security Officer (“CISO”). In the event that the Covered Entity does not have a CISO, the certification or acknowledgment must be signed by the highest-ranking executive and by the senior officer overseeing the cybersecurity program of the Covered Entity.


What are my next steps for staying compliant under 23 NYCRR Part 500?

Covered Entities including agents, producers, and brokers, should thoroughly examine the Amendment and assess their responsibilities under relevant laws. In the event of a cybersecurity incident or notification of such an incident, whether with the entity itself, its affiliates, or involving a third-party service provider like an insurance carrier, third-party administrator, or other vendor, the covered entity must promptly report the incident to DFS within 72 hours. Covered Entities must furnish DFS with a certification of material compliance or an acknowledgment of noncompliance before April 15, 2024.
 
Resources
Back to All News

Copyright © 2024 Donald C. Savoy, Inc. All Rights Reserved.
 
Savoy Associates® is a registered trademark and assumed name for an insurance producer licensed in these states. This site contains content and resources provided by third parties, and all content and resources are provided for informational purposes only. Speak with a licensed professional at Savoy Associates for details regarding insurance product offerings.