Dear ESMBA Members,

 

In an effort to keep you informed of recent regulatory updates we are forwarding you the following important email reminder released from the DFS today.


*****


Date: September 30, 2024


Subject: Cybersecurity Regulation Updates and Reminders 


In 2023, theDepartment of Financial Services (DFS)amendedits Cybersecurity Regulation. To assist entities of all sizes throughout the roll out of the regulation, DFS is providing regular updates on important information and helpful resources. 


Here is what you need to know in September 2024:


  • November Requirements for Class A and Standard Businesses
  • November Requirements for Small Businesses
  • New FAQs Developed
  • ICYMI: Resources and Reminders



November Requirements for Class A and Standard Businesses

As of November 1, 2024, the following requirements will be effective for all covered entities, except those that qualify for an exemption. To better understand whether an entity qualifies for a full or partial exemption, visit the Cybersecurity Resource Center’sPart 500 Exemptionsguidance and the "Am I Exempt" flowchart. Partially exempt entities can jump to November Requirements for Small Businesses below.


Class A and Standard entities are required to implement the below requirements by November 1, 2024:

  1. Cybersecurity Governance: CISOs must include plans for remediating material inadequacies in written reports to senior governing bodies. In addition, CISOs will be required to timely report to senior governing bodies or senior officers on material cybersecurity issues, such as significant cybersecurity events and changes to the cybersecurity program. Entities’ senior governing bodies will be required to exercise oversight of cybersecurity risk management. (Section 500.4)
  2. Encryption of Nonpublic Information (NPI): Effective November 2024, entities will be required to implement a written policy requiring encryption that meets industry standards. Entities may no longer use effective alternative compensating controls for encryption of NPI in transit over external networks; however, entities may use of effective compensating controls for encryption of NPI at rest provided that the compensating controls are reviewed and approved in writing by the CISO at least annually. (Section 500.15)
  3. Incident Response and Business Continuity Management: Incident Response (IR) plans continue to be required, but they must be updated as specified and tested at least annually. Business Continuity and Disaster Response (BCDR) plans that are reasonably designed to address a cybersecurity-related disruption as specified must also be in place. Covered entities must also train all employees involved in the plans’ implementations, test plans with critical staff, and revise plans as necessary; test the ability to restore critical data and information systems from backups; and maintain and adequately protect backups necessary to restore material operations. (Section 500.4)


Learn more about the upcoming requirements: Class A EntitiesStandard Entities


November Requirements for Small Businesses

On November 1, 2024, additional requirements also become effective for small businesses that qualify for partial exemptions under the amended Cybersecurity Regulation:


Multi-Factor Authentication(Section 500.12(a))

  • What’s new? Covered entities that have not already done so are required to implement multi-factor authentication (MFA) for any remote access to their information systems, remote access to third-party applications where Nonpublic Information is accessible (including cloud applications), and to privileged accounts. 
  • Who does this apply to?All covered entities except those who qualify for full exemptions and those who qualify for partial exemptions under 500.19(c) or 500.19(d). Those entities are not required to implement MFA. (Determineyour exemption type via the "Am I Exempt" flowchart.)

Cybersecurity Training(Section 500.14(a)(3))

  • What’s new? At least once a year, entities must provide cybersecurity awareness training to all personnel that covers social engineering, such as phishing, business email compromises, and techniques enhanced by AI, like deepfakes.
  • Who does this apply to?All covered entitiesexceptthose who qualify for full exemptions and those who qualify for partial exemptions under 500.19(c) or 500.19(d).

Learn more about the November requirements for small businesses: Exempt and Partially Exempt Entities


New FAQs Developed

DFS regularly updates its FAQ content based on inquiries from covered entities. Here are answers to what businesses have asked about recently.

  • Can somebody who doesn’t have the precise title “CISO” sign as CISO?
  • If a Covered Entity has a part time or outsourced CISO, who should sign the Certification of Material Compliance or Acknowledgment of Noncompliance?
  • What constitutes a “wholly owned subsidiary” for purposed of qualifying for a 500.19(b) exemption?
  • Under what circumstances does an Affiliate of a Class A Company with business operations in New York have to comply with DFS’s Cybersecurity Regulation? 


ICYMI: Resources and Reminders

With Cybersecurity Awareness Month approaching this October, revisit these resources to help develop and enhance your cybersecurity program:

  • DFS’s Cybersecurity Program Template helps individual licensees and individually owned businesses develop their programs.
  • The Class A Determination Tool analyzes affiliated employees and revenue to determine if a business qualifies as a Class A business.
  • Annual Compliance Submissions for 2023 were due in April. Entities that have not yet submitted either a Certification of Material Compliance or an Acknowledgement of Noncompliance can still do so through the DFS portal. The Acknowledgement of Noncompliance essentially certifies that a Covered Entity has materially complied with sections of Part 500 other than those checked in its Acknowledgement of Noncompliance.


Stay tuned for additional resources, including video refreshers, coming soon. Visit the Cybersecurity Resource Center for all DFS’s cybersecurity tools and guidance, including cyber alerts.


To get regular cybersecurity updates delivered to your inbox, subscribe to Cybersecurity Updates. For additional questions related to the amended Cybersecurity Regulation, email DFS’s Cybersecurity team at cyberregsupport@dfs.ny.gov.


This message is intended for the primary contact at each covered entity. If you need to change or update the information that DFS has on file for you, call or email your point-of-contact at the Department directly. If others in your organization should receive this information, please forward this email.

Best regards,

Erica

Erica Wetherall

ESMBA President

Empire State Mortgage Bankers Association | www.esmba.org