

By Eric Lipton
While comprehensive cybersecurity legislation hasn’t yet materialized at the federal level, states continue to forge ahead with new or expanded requirements.
A forerunner in cyber regulation, the New York Department of Financial Services (NYDFS), finalized and approved a Second Amendment to its Cybersecurity Regulations (23 NYCRR Part 500) nearly two years ago. On Nov. 1, two new NYDFS requirements will go into effect, including one that requires the implementation of multifactor authentication (MFA).
Although the NYDFS Cyber Regulations may not apply directly to your business, independent insurance agencies operating in other jurisdictions could still see impacts, particularly if doing business with and accessing information systems of “covered entities” licensed in New York.
Currently, 23 NYCRR Part 500.12(b) requires that MFA be used “for any individual accessing the Covered Entity’s internal networks from an external network,” unless its chief information security officer (CISO) approves reasonably equivalent alternative controls.
However, starting on Nov. 1, non-exempt covered entities must implement MFA for any individual accessing any of its information systems, regardless of the location, type of user or nature of data involved, subject to limited exceptions. Covered entities will also need to have policies in place to implement and maintain an up-to-date asset inventory for information systems.
Many agencies that are subject to the NYDFS Cyber Regulations qualify for a limited exemption. For limited exempt entities, there are still three situations where they must use MFA: remote access to the agency’s computer systems; remote access to third-party applications that enable access to nonpublic information, such as an agency management system (AMS); and remote access to “privileged accounts,” such as system administrator accounts.
Non-exempt covered entities, such as major carriers, will be subject to the broader MFA requirements. This means that the new requirements may result in changes to access protocols for specific systems.
Recent enforcement trends also underscore the growing importance of MFA for compliance and practical cyber hygiene in general. In August, the NYDFS announced a $2 million fine and settlement with a dental insurance services provider following a data breach caused by a business email compromise.
According to the consent order, an employee clicked on and provided login credentials in response to a phishing email. Because the company failed to enable MFA when migrating to a new email service, “the threat actor was able to access the [employee’s] email box through a web browser without having to bypass any MFA controls.”
Although the company reportedly discovered and stopped the attack quickly, it was unable to determine if or which sensitive emails the threat actor may have accessed and exfiltrated due to limitations of the company’s logging system.
Given the rapidly changing regulatory environment and risk vectors that businesses face, it is essential to regularly review and update your cybersecurity program. Independent insurance agencies should consider implementing not only changes to their policies, but also any practical security measures that may be appropriate. This is especially important whenever such measures are required by applicable law.
For more information, Big “I” members are encouraged to review cybersecurity resources available from the Big “I” Office of General Counsel, Big “I” Agents Council for Technology and Big I New York.
The NYDFS maintains a Cybersecurity Resource Center and also provides an MFA fact sheet.
If you have any further questions about this or related topics, contact Wes Bissett, Scott Kneeland, or Eric Lipton.
Eric Lipton is Big “I” senior counsel.