On November 1, 2023, the New York Department of Financial Services (NYDFS) introduced its second amended Cybersecurity Regulation (23 NYCRR Part 500). The amendments, influenced by extensive public feedback, introduce several significant changes, including heightened cybersecurity requirements for large licensees known as “Class A Companies.” Compliance with these new requirements is mandated by April 29, 2024, with certain provisions having extended transition dates.
One notable requirement is the implementation of an automated method to block commonly used passwords for all accounts on information systems owned or controlled by Class A Companies, and wherever feasible, for all other accounts. This measure is designed to enhance security by preventing the use of weak passwords that are easily exploitable by cyber attackers.
“Each class A company shall monitor privileged access activity and shall implement an automated method of blocking commonly used passwords for all accounts on information systems owned or controlled by the class A company and wherever feasible for all other accounts.”
The automated password blocking requirement applies specifically to “Class A Companies.” According to the regulation, a Class A Company is a covered entity with at least $20 million in gross annual revenue in each of the last two fiscal years from all business operations and either:
Over 2,000 employees on average over the last two fiscal years, including affiliates; or over $1 billion in gross annual revenue in each of the last two fiscal years from all business operations of the entity and its affiliates.
The requirement for automated password blocking became enforceable on April 29, 2024. Organizations who do not yet meet this requirement are encouraged to implement these measures as soon as possible to avoid penalties and make their environment secure.
The NYDFS has established stringent enforcement provisions for non-compliance with the cybersecurity regulation. Covered entities found to be non-compliant may face significant punishment, including financial fines. The exact amount of the fines can vary based on the severity of the non-compliance and the potential impact on the entity’s cybersecurity posture.
Each Class A Company must:
To comply with this requirement in the easiest, most secure, and most cost-effective way, Class A Companies should consider using Enzoic for Active Directory:
Enzoic for Active Directory is an easy-to-install plugin that provides a frictionless way to identify, monitor, and remediate unsafe passwords. It offers a comprehensive solution for ensuring password security and compliance with the NYDFS regulation.
Try Now: Eliminate commonly used and compromised passwords in your environment. Download and try free for up to 20 users.
Product Demo: Watch a full product demo to understand how Enzoic for Active Directory can help enhance security, save time, and reduce administrative costs.
Enzoic for Active Directory is designed to meet current industry best practices and guidelines, providing continuous credential protection and ensuring compliance with the NYDFS Cybersecurity Regulation. Implementing Enzoic will give your organization the tools it needs to stay secure and compliant.
For more detailed guidance on compliance with the NYDFS Cybersecurity Regulation and to explore how Enzoic for Active Directory can benefit your organization, contact Enzoic today.
AUTHOR
Josh Parsons
Josh is the Product Marketing Manager at Enzoic, where he leads the development and execution of strategies to bring innovative threat intelligence solutions to market. Outside of work, he can be found at the nearest bookstore or exploring the city’s local coffee scene.