What Changed
The amended 23 NYCRR 500 expanded MFA requirements to all individuals accessing information systems — including brokers on unmanaged devices.
Key Sections Affected
- §500.12 Multi-Factor Authentication: Now applies to all individuals, not just employees
- §500.14 Monitoring: Enhanced requirements for access activity monitoring
- §500.17 Incident Response: Tighter notification timelines
What This Means for Carriers
If your independent agents access any system containing nonpublic information, you now need documented evidence that:
- MFA is enforced at every login
- The device used meets your security baseline
- You can produce audit logs showing compliance
The Attestation Challenge
Your annual CISO attestation now requires you to certify compliance across all access points — including the thousands of unmanaged devices used by your independent distribution network.
This is where most carriers struggle. You can't attest to controls you can't verify.