SHARE:  
Join Our Email List

Cybersecurity Regulation Updates and Reminders 

Attention all NYAMB Members! 

 

In an effort to keep you informed of recent regulatory updates that may impact you, we are forwarding the following information provided to us from the New York State Department of Financial Services.....


Date: February 28, 2025


Subject: Cybersecurity Regulation Updates and Reminders 



In 2023, the Department of Financial Services (DFS) issued its amended Cybersecurity Regulation with requirements rolling out through 2025.

To assist entities of all sizes throughout the rollout of the regulation, DFS is providing regular updates on important information and helpful resources.

In this month’s edition: 

  • Annual Compliance Submissions Due by April 15
  • New Requirements Coming May 2025
  • Cybersecurity Regulation Refresher Videos
  • ICYMI: FAQs on the Shield Act


Annual Compliance Submissions Due by April 15

Since its initial adoption, the Cybersecurity Regulation has required covered entities to submit annual compliance notifications. As of last year, covered entities now have the option to submit either a Certification of Material Compliance (certifying they materially complied with the regulation requirements that were applicable to them in the prior year) or an Acknowledgement of Noncompliance (identifying all sections of the regulation with which they have not complied and providing a remediation timeline.)


By April 15, 2025, covered entities must submit their annual compliance notifications for the 2024 calendar year through the DFS portal. Covered entities that qualify for full exemptions from the Cybersecurity Regulation do not have to submit annual compliance notifications. However, covered entities that qualify for limited exemptions still must submit an annual notification regarding their compliance.

For more information on the April 15 compliance deadline, guidance on which form to file, and step-by-step filing instructions, visit the Submit a Compliance Filing section in the Cybersecurity Resource Center


New Requirements Coming May 2025

On May 1, 2025, additional requirements become effective under the amended Cybersecurity Regulation. If they have not already done so, covered entities should plan to implement the below requirements on or before May 1, 2025.

Requirements impacting all covered entities, except those with a full exemption

Access Privileges and Management:


  • Implement enhanced requirements regarding limiting user access privileges, including privileged account access.
  • Review access privileges and remove or disable accounts and access that are no longer necessary.
  • Disable or securely configure all protocols that permit remote control of devices.
  • Promptly terminate access following personnel departures.
  • Implement a reasonable written password policy to the extent passwords are used. (Section 500.7)


Requirements impacting Class A and Standard entities:

Vulnerability Management: Conduct “automated scans of information systems, and a manual review of systems not covered by such scans” to discover, analyze, and report vulnerabilities at a frequency determined by their risk assessment and promptly after any material system changes. (Section 500.5(a)(2))

Malicious Code: Implement controls to protect against malicious code. (Section 500.14(a)(2))


Requirements impacting Class A entities only:

Monitoring and Training: Implement (1) endpoint detection and response solution to monitor anomalous activity and (2) centralized logging and security event alert solution. CISOs can approve reasonably equivalent or more secure compensating controls, but approval must be in writing. (Section 500.14(b))


Information on exemptions is available via the Cybersecurity Resource Center’s Part 500 Exemptions section and/or the "Am I Exempt" flowchart. Learn more about the regulatory requirements broken down by entity type: Exempt and Partially Exempt Entities | Standard Entities | Class A Entities


Cybersecurity Regulation Refresher Videos

The Department has introduced a series of video refreshers to help entities better understand the Cybersecurity Regulation and its requirements. The first collection of videos address November 2024 requirements, including multi-factor authentication, cybersecurity awareness training, encryption requirements, and Incident Response and Business Continuity and Disaster Recovery plans.


Bookmark the video series, which the Department will continue to update to include information on the upcoming May 2025 requirements. CLICK HERE TO ACCESS VIDEOS


Watch: Multi-Factor Authentication | Cybersecurity Awareness Training | Encryption Requirements | Enhanced Governance Requirements | Incident Response and Business Continuity and Disaster Recovery Plans


ICYMI: FAQs on the Shield Act

The Department added the following two FAQs to clarify the scope and requirements of a recent amendment to New York’s Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act).


Does the amendment to subdivision 8(a) of New York’s SHIELD Act, signed into law on December 21, 2024, require businesses and individuals that are not regulated by DFS to notify DFS of a data breach?


No. The amendment to subdivision 8(a) of New York’s Stop Hacks and Improve Electronic Data Security Act, N.Y. Gen. Bus. Law § 899-aa (the SHIELD Act), signed into law on December 21, 2024, was subsequently revised by a chapter amendment on February 14, 2025. The revision clarifies that only Covered Entities, as defined in 23 NYCRR § 500.1(e), are required to notify DFS of Cybersecurity Incidents, as defined in 23 NYCRR § 500.1(g), in accordance with 23 NYCRR § 500.17(a). (See more...)


Does the amendment to subdivision 8(a) of New York’s SHIELD Act, signed into law on December 21, 2024, limit or modify any reporting requirements currently imposed on covered entities?


No, the amendment to the SHIELD Act signed into law on December 21, 2024, and revised on February 14, 2025, does not limit or modify any existing reporting requirements for covered entities, which generally include DFS-regulated persons and entities “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” (See more...)


ICYMI: Reminders from DFS

To get regular cybersecurity updates delivered to your inbox, subscribe to Cybersecurity Updates. For additional questions related to the Cybersecurity Regulation, email DFS’s Cybersecurity team at cyberregsupport@dfs.ny.gov.

Visit the Cybersecurity Resource Center for all of DFS’s cybersecurity tools and guidance.


***************


Do Not Miss NYAMB's 37th Annual Regulatory Compliance Conference on April 28th at the Westchester Marriott in Tarrytown NY. There will be several Cybersecurity Companies present.


Sincerely,

 

Mark Favaloro

Chairman of the Board, Legislative Committee Co-Chair

New York Association of Mortgage Brokers 
Connect with us so you never miss an update!! www.nyamb.org
#nyamb #nymortgagebrokers #nywholesalemortgage #nyambevents #nyambpartners
Facebook  Linkedin  Twitter  Instagram  Youtube  

"Together we can be greater than any one of us alone"

New York Association of Mortgage Brokers | 501 E. Boston Post Rd. 2nd Floor Suite #6 | Mamaroneck, NY 10543 US

Unsubscribe | Update Profile | Constant Contact Data Notice

Constant Contact