NY| The Excess Lines Association of New York (ELANY) issues Bulletin No. 2025-22 announcing the final phase of New York Department of Financial Services (DFS) Cybersecurity Regulation 23 NYCRR 500 requirements, effective November 1, 2025. The bulletin details new multi-factor authentication (MFA) requirements for brokers, additional cybersecurity measures for those with limited exemptions, and the need for comprehensive asset inventory management policies.
Main Points:
- All non-exempt brokers must implement MFA for any access to their information systems, with alternatives approved and reviewed by a CISO permitted under certain conditions.
- Brokers with limited exemptions (like small businesses) must use MFA for remote system access, third-party/cloud applications, and privileged accounts, except non-interactive service accounts.
- All brokers are required to establish and document complete asset inventory policies and procedures, ensuring regular tracking, classification, and validation of information system assets.