New York State Department of Financial Services amends cybersecurity regulation
The New York Department of Financial Services, NYDFS, released the final amendment to its cybersecurity regulation 23 NYCRR §§ 500.0—500.24, or Part 500, on November 1, 2023. Part 500, originally enacted on March 1, 2017, established cybersecurity requirements for financial services companies, including most state-licensed banks and insurance entities, requiring regulated entities to establish and maintain, at minimum, certain standards to protect consumer information. The amendment expands on Part 500’s original requirements by imposing heightened cybersecurity standards, policies, and procedures.
Class A Companies
The amendment creates a new “class” of covered entities, NYDFS-regulated corporations, called Class A companies. A “Class A company” is defined, in part, as “a covered entity with at least $20,000,000 in gross annual revenue in each of the last two fiscal years” in New York and either: “(1) over 2,000 employees averaged over the last two fiscal years,” or “(2) over $1,000,000,000 in gross annual revenue in each of the last two fiscal years.” Requirements for Class A companies include:
• Designing and conducting independent audits of their cybersecurity programs;
• Implementing privileged access management solutions; and
• Implementing endpoint detection and response solutions to monitor anomalous activity.
Oversight and Governance
Chief Information Security Officer “CISO." As part of the amendment’s heightened governance requirements, CISOs are required to report directly to senior leadership on “material cybersecurity issues, such as significant cybersecurity events and significant changes to the covered entity’s cybersecurity program.” The amendment defines “CISO” as “a qualified individual responsible for overseeing and implementing a covered entity’s cybersecurity program and enforcing its cybersecurity policy.”
Senior Governing Body. The amendment also addresses the “senior governing body” that refers to a covered entity’s board of directors, or an equivalent governing body, “responsible for the covered entity’s cybersecurity program.” As part of the increased governance requirements, the senior governing body is required to oversee the covered entity’s cybersecurity risk management, including:
• (1) having sufficient understanding of cybersecurity-related matters to exercise such oversight;
• (2) requiring the covered entity’s executive management . . . to develop, implement and maintain the covered entity’s cybersecurity program;
• (3) regularly receiving and reviewing management reports about cybersecurity matters; and
• (4) confirming that the covered entity’s management has allocated sufficient resources to implement and maintain an effective cybersecurity program.
The amendment incorporates enhanced risk amendment standards as well, requiring covered entities to, among other things: (1) limit the number of privileged accounts; (2) limit the number of privileged accounts; (3) limit the use of privileged accounts; and (4) at a minimum, annually review all user access privileges. Based on its risk assessment, covered entities must implement controls to protect against unauthorized access to nonpublic information, including the use of multi-factor authentication for remote employees. A “Risk Assessment” is defined as:
[T]he process of identifying, estimating and prioritizing cybersecurity risks to organizational operations (including mission, functions, image and reputation), organizational assets, individuals, customers, consumers, other organizations and critical infrastructure resulting from the operation of an information system. Risk assessments incorporate threat and vulnerability analyses and consider mitigations provided by security controls planned or in place.
The scope of what is deemed the nexus of a reportable incident is also expanded. While the amendment retains the term “cybersecurity event,” it expands on the phrase by adding “cybersecurity incident” to the definition section. See NYCRR § 500.1(g). A “cybersecurity incident” means:
[A] cybersecurity event that has occurred at the covered entity, its affiliates, or a third-party service provider that:
(1) impacts the covered entity and requires the covered entity to notify any government body, self-regulatory agency or any other supervisory body;
(2) has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity; or
(3) results in the deployment of ransomware within a material part of the covered entity’s information systems.
Part 500 utilizes “cybersecurity incident” in its notice requirement section. See NYCRR § 500.17(a).
The finalized amendment, adopted November 1, 2023, is effective upon publication in the New York State Register. Part 500’s compliance deadlines are generally rolled out in phases, providing regulated entities time to comply with the latest amendments. Unless otherwise specified, covered entities have one-hundred and eighty (180) days, or until April 29, 2024, to comply. Reporting requirement changes, however, take effect December 1, 2023. Compliance timelines are also available on the NYDFS’s website.
What Does this Mean for Your Business?
Covered entities should start to conduct internal assessments to determine any potential shortcomings in their policies, procedures, or overall governance structures to ensure compliance with Part 500.
For more updates on data privacy law from McDonald Hopkins, please subscribe to receive our publications or view the links below for recent updates on other state data privacy legislative updates. And, if you have questions about your company’s compliance with cyber regulations, concerns about vulnerability to a ransomware attack or other breach, or if you want to learn more about proactive cybersecurity defense, contact a member of McDonald Hopkins' national data privacy and cybersecurity team.