NY| The Excess Lines Association of New York (ELANY) Bulletin 2025-09 revises the New York Department of Financial Services (DFS) cybersecurity regulation, effective May 1, 2025. This regulation impacts brokers in various ways depending on their exemption status.
Key Points:
- Vulnerability Management and Access Controls: Brokers must conduct automated scans and manual reviews of their systems to identify vulnerabilities, and implement enhanced access controls, including limiting user privileges and promptly terminating access after personnel departures.
- Compliance Based on Exemption Status: Brokers with limited exemptions must comply with access control requirements, while those without exemptions must also conduct vulnerability scans. Class A brokers face additional requirements, including monitoring privileged access and implementing password management solutions.
- Advanced Security Measures for Class A Brokers: Class A brokers are required to implement endpoint detection and response solutions, centralized logging, and security event alert systems. They may use compensating controls if approved by the Chief Information Security Officer in writing.