As part of a multiyear rollout, the New York Department of Financial Services (NYDFS) has established May 1, 2025, and November 1, 2025, as effective dates for certain amendments to its cybersecurity regulations. These additional regulatory obligations apply to all covered entities (CEs), including most enterprises engaged in the insurance industry.
Regulations with May 2025 effective date
- The CE must conduct automated scans of information systems to discover/report vulnerabilities at a frequency determined by the CE’s risk assessment and after any material system changes. Manual review is required for unscannable systems. 23 NYCR § 500.5(a)(2); 23 NYCR § 500.9 (detailing the risk assessment regime which is already in effect).
- The CE must adopt various access control measures including: (i) limiting access to information systems containing nonpublic information; (ii) limiting the number and use of IT admin accounts (iii) periodically reviewing access privilege of accounts and disable accounts/access which is no longer necessary; (iv) promptly terminating account access following personnel departures; and (v) adopting a written password policy meeting industry standards. 23 NYCR § 500.7.
- The CE must implement controls to protect against “malicious code” including controls that filter internet traffic and email. 23 NYCR § 500.14(a)(2).
- Any Large CE (“Class A” companies) must implement an endpoint detection/response solution to monitor “anomalous activity” and a centralized logging and security event solution. 23 NYCR § 500.14(b); 23 NYCR § 500.1(d) (defining Class A company).
- Alternative: CISO may approve the use of a “reasonably equivalent or more secure compensating controls.” Id.
Regulations with November 2025 effective date
- Multi-factor authentication (MFA) must be utilized by any individual accessing any information systems of a Covered Entity (“CE”). 23 NYCR § 500.12(a).
- Alternative: The CE’s Chief Information Security Officer may approve the use of “reasonably equivalent or more secure compensating controls” which must be reviewed at least annually. 23 NYCR § 500.12(b). If the CE qualifies for a limited exemption under 500.19, the MFA requirements are slightly narrowed.
- The CE must implement written policies/procedures which maintain a detailed asset inventory of the CE’s information systems. 23 NYCR § 500.13(a).
- The policies/procedures must include a method to track certain “key information” for each asset including data such as owner and location. Id.
What this means to you
While the amendments and effective dates discussed above are only applicable to enterprises covered by New York state law, insurers around the country should pay close attention to how New York’s cybersecurity regulations are implemented and enforced. The New York law predated and heavily influenced the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law, which was adopted in 2017 to establish data security standards for regulators and insurers to mitigate the potential damage of a data breach. To date, 26 states have implemented the Model Law in some form, with adoption pending in Missouri and the territory of Puerto Rico. While laws and regulations vary from state to state regarding disclosure requirements and the definition of private information, the framework found in NYDFS’s regulations is similar to the Model Law and worth observing.
Contact us
If you have questions about how state cybersecurity regulation impacts insurance companies, please contact Tasha Cycholl, Andrew McNichol, Lauren Ybarra, Jared Bruttig, or your Husch Blackwell attorney.