The New York State Department of Financial Services issued a guidance letter notifying regulated insurance agents and mortgage loan originators of a model cybersecurity program template.
The department’s Cybersecurity Regulation 23 NYCRR Part 500 requires covered entities to maintain a cybersecurity program.
The guidance letter states, “Pursuant to the cybersecurity regulation, covered entities must maintain a cybersecurity program designed to identify and assess cybersecurity risks; protect nonpublic information (such as confidential customer information or sensitive business information) and the computers, phones, and other electronic devices storing such information from unauthorized access and other malicious acts; detect, respond, and recover from cybersecurity events; and comply with applicable regulatory reporting obligations.
“To assist individual licensees and single person regulated entities in creating a cybersecurity program, DFS has developed a model Cybersecurity Program Template,” it continued. “This resource prompts licensees to carefully consider and address the core concepts of a cybersecurity program in order to help create a program that complies with the requirements of the cybersecurity regulation. The template also includes frameworks for developing and tracking asset inventories, risk assessments, multi-factor authentication exceptions, and third-party service providers. This template is not a substitute for independently evaluating any business, legal, or other issues, and completion does not assure compliance with the regulation.”