New York Department of Financial Services Strengthens Cybersecurity Regulation Through Recent Amendment

Read Time: 8 minutes
Key Takeaways: On November 1, 2023, the New York Department of Financial Services (“NYDFS”) adopted the long-awaited amendment (the “Amendment”) to the Cybersecurity Regulation at 23 NYCRR Part 500 (commonly referred to as “Part 500”). The Amendment significantly amends Part 500 requirements including its applicability to certain businesses. Notably, the Amendment establishes a new class of “covered entities,” which addresses large companies with a significant amount of revenue, and employees and imposes additional requirements on such entities.


Covered entities should take note that the Amendment establishes heightened breach notification procedures and requirements related to notifying NYDFS, specifically related to ransomware payments. Further, the Amendment imposes additional requirements for covered entities to implement specific controls related to technical safeguards and governance procedures. These requirements will take effect over a two-year period which started on November 1, 2023. Covered entities should immediately assess their current compliance and undergo an analysis to determine whether changes need to be made to meet the new Part 500 requirements.

Background

On March 1, 2017, NYDFS enacted Part 500, which established cybersecurity requirements for financial services companies operating under certain licenses in New York. Under Part 500 (both previously and as amended), all entities or individuals chartered, licensed, or approved to operate in New York state by NYDFS under Banking, Insurance and Financial Services Laws are considered “covered entities.” NYDFS implemented the regulation because financial services actors are a common target of cyber threats, which can lead to significant losses affecting New York businesses and consumers.

Through a series of rulemakings, NYDFS has now published the Amendment which has varying dates of applicability. The following is a summary of some of the key changes to Part 500.

Applicability and Exemptions

NYDFS now characterizes covered entities in three categories: Class A/Large Companies; Exempt/Small Companies; and Standard Companies (i.e., not Class A or Exempt/Small Companies). Notably, the Amendment created the Class A category of companies and also modified the requirements to be exempt from Part 500.

Class A Companies

Class A Companies have at least $20,000,000 in gross annual revenue in each of the past two fiscal years from all of the covered entity’s business operations plus the business operations of its affiliates in the state of New York (i.e., revenue from non-New York affiliates is not counted), and either:

  • an average of 2,000 employees over the past two fiscal years, counting the covered entity’s and its affiliate’s employees; or
  • more than $1,000,000,000 in gross annual revenue in each of the past two fiscal years from all business operations (globally) of itself and its affiliates, no matter their location.

It is important to note that affiliates are only counted when they share information systems, cybersecurity resources, or all or any part of a cybersecurity program of a covered entity.

Class A Companies have more stringent requirements under Part 500. Summarily, Class A Companies must:

  • conduct independent audits of its cybersecurity programs based on risk assessments performed on such programs;
  • implement a privileged access management solution and automated methods for blocking commonly used passwords for information systems accounts, if feasible; and
  • implement endpoint detection and response solutions to monitor activity, logging, and security event alerts.

These requirements are specific to Class A Companies and are in addition to the numerous other requirements in Part 500.

Exemptions

With the Amendment, NYDFS expanded the types of entities that are fully exempt from Part 500. Notably, employees, agents, representatives, designees, and now, wholly owned subsidiaries, of covered entities are fully exempt from Part 500. Previously, it was unclear whether wholly owned subsidiaries needed to meet Part 500 independently or as an affiliate of a covered entity. Certain exemptions were also made for inactive insurance brokers, agents, and certain reciprocal insurers under New York law.

In addition, requirements to meet the limited small business exemption have expanded. To qualify for this exemption, a covered entity must have less than any of the following: 20 employees and independent contractors including those of its affiliates; $7,500,000 in gross annual revenue including revenue from the New York business operations of its affiliates; or $15,000,000 in year-end total assets including those of its affiliates. Although the small business exemption has expanded, it is still a limited exemption. In other words, certain requirements of Part 500 still apply to these small businesses including having a cybersecurity program, cybersecurity policy, and access privileges, among others.

Incident Reporting, Business Continuity, and Disaster Recovery

Under Part 500, covered entities must notify NYDFS within 72 hours of determining that a cybersecurity incident (as defined) has occurred at the covered entity, its affiliates, or a third-party service provider. Part 500 now requires that covered entities promptly provide the superintendent of NYDFS with any information requested regarding a reported incident and continually update such superintendent as new information is made available related to the incident.

In addition, the incident reporting obligations expand to cybersecurity incidents that result in the deployment of ransomware within a material part of the covered entity’s information systems. If such deployment of ransomware occurs and the covered entity makes any extortion payment related thereto, the covered entity must notify NYDFS within 24 hours of the extortion payment. The covered entity must then follow up with NYDFS and provide certain information related to the extortion payment within 30 days of payment including why the payment was necessary. The new reporting obligations described above go into effect December 1, 2023.  

Relatedly, the Amendment provides enhanced requirements for the components of incident response plans (IRPs), which are required under Part 500. With respect to IRPs, in addition to the previous Part 500 requirements, such plans must now address recovery from backups and preparation of root cause analysis that describes how and why an event occurred, what business impact it had, and what will be done to prevent reoccurrence of the incident.

Along with IRPs, the Amendment introduces the requirement to implement Business Continuity and Disaster Recovery Plans (BCDRs). These plans must be reasonably designed to ensure the availability and functionality of the covered entity’s information systems and services. In addition, such plans must be designed to protect the covered entity’s personnel, assets, and nonpublic information. There are specific requirements such plans must have including, but not limited to, identifying essential business operations, supervisory personnel, and communication procedures.

With respect to the IRPs and BCDRs, these plans must be tested at least annually with all staff and management critical to the response and must be revised as necessary.

Technical and Governance Changes

In addition to the modifications to Part 500 highlighted above, the following are brief summaries of additional modifications imposed under the new Part 500.

  • Chief Information Security Officers (“CISO”) have additional board reporting obligations related to cybersecurity issues. Along with additional board reporting obligations, the boards themselves (or senior officials and executives) must exercise sufficient oversight of the covered entity’s cybersecurity governance including having sufficient understanding of the entity’s program.
  • Required risk assessments must be reviewed and updated at least annually or whenever there is a material change in the covered entity’s cyber risk (e.g., through business or technological changes). As part of this update, related policies and procedures of the covered entity must also be updated according to the same schedule.
  • Covered entities must implement controls around monitoring systems for malicious code and web traffic, conduct automated scans of information systems (i.e., penetration tests) and remediate any identified vulnerabilities, and establish policies related to asset inventory, access control, and password management.
  • Subject to exemptions discussed above, covered entities must use multi-factor authentication (“MFA”) for anyone accessing their information systems. The CISO may approve alternatives to MFA if such alternatives are reasonably equivalent, or more secure, and must document and review those controls annually.
  • By April 15, 2024, and every year thereafter, covered entities must submit a signed statement certifying that the covered entity has materially complied with Part 500. Alternatively, covered entities must provide a written acknowledgment that it did not comply and identify which sections of Part 500 were not complied with. These statements must be signed by the covered entity’s highest-ranking executive and the CISO (or CISO-equivalent).

Violations

The Amendment provides that any single prohibited act or omission by a covered entity to satisfy Part 500 will be considered a violation. These acts or omissions include failure to secure or prevent unauthorized access to an individual’s or entity’s nonpublic information (due to noncompliance) or material failure to comply with Part 500 for any 24-hour period. In addition, the Amendment provides a host of factors the superintendent will consider when assessing any penalty.

Timeline for Implementation

With the numerous requirements imposed by this Amendment, NYDFS is introducing such requirements in a phased timeline. The exemptions and enforcement provisions above took effect on November 1, 2023. Thereafter, the earliest requirement that will apply are the cybersecurity incident notification requirements at § 500.17, which take effect December 1, 2023. The next pertinent date will be April 29, 2024, when additional requirements discussed above will take effect. For a full view of the timeline of key compliance dates, visit the NYDFS Cybersecurity Resource Center here.

Koley Jessen will continue to monitor developments related to Part 500 and advise as updates become available. If you have questions as to how to comply with Part 500, or whether it applies to your business, please contact one of the specialists in our Data Privacy and Security Practice Area.

This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Related Services

Explore Our

Newsroom


Learn about the latest legal news, firm announcements, and upcoming events on the topics important to you and your business.

Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.