The Excess Line Association of New York published a bulletin informing brokers of the new cybersecurity regulations that will go into effect starting May 1, 2025.
Brokers that filed a limited exemption need only to comply with the Section 500.7 requirements. Section 500.7 states that a cybersecurity system should include the following:
- Limit the number of privileged accounts that have access to nonpublic information and periodically review access privilege
- Disable or securely configure protocols that permit remote access of devices
- Terminate access after departures
- Implement a written password policy that is up to industry standards
Brokers that have not filed a limited or full exemption are subject to the same requirements above and must also comply with Sections 500.5(a)(2) and 500.14(a)(2). Section 500.5(a)(2) requires that covered entities perform an automated scan of information systems in search of vulnerabilities after any material system change. Section 500.14(a)(2) requires that covered entities implement controls designed to protect against malicious code.
Class A brokers must comply with all of the requirements above and, in addition, must implement a method of blocking commonly used passwords for accounts used on information systems owned by the company. They must also implement a detection and response solution to monitor unusual activity.
The bulletin can be found here.