Key deadlines approaching under NYDFS Cybersecurity Regulations

Back in November, we wrote about publication of the final amendment to the New York Department of Financial Services (NYDFS or Department) cybersecurity regulation, 23 NYCRR §§ 500.0—500.24, or Part 500. Now that April is upon us, a major compliance deadline is approaching, and several new provisions of the November 2023 Amended are set to take effect.

If not already underway, covered entities should immediately initiate a review of their cybersecurity program to determine any potential shortcomings and areas of improvement. Below is a reminder of the new requirements and when they take effect.

Who is covered by the NYDFS Cybersecurity Regulation?

 The NYDFS Cybersecurity Regulation covers any organization that is licensed or regulated by the Department. This includes a wide swath of financial institutions that operate in New York, including state-chartered banks, licensed lenders, private bankers, mortgage companies, insurance companies, and foreign banks.

The Regulation exempts organizations with under 10 employees, less than $5 M in gross annual revenue for the past three years, or with less than $10 million in year-end total assets. NYDFS maintains a helpful "Am I Exempt" flowchart on their website to assist small entities to determine whether they are covered or exempt.

Annual compliance submissions due April 15, 2024

From the initial adoption of the NYDFS Cybersecurity Regulation, covered entities have been required to submit an annual notice of compliance with the Department by April 15. The November 2023 Amendment kept this requirement, but provided more detail regarding the method of providing the notice of compliance and the information to be included in this certification. All covered entities should ensure their notice of compliance is filed by Monday, April 15, 2024.              

New requirements effective April 29, 2024

Oversight and Governance: The Cybersecurity Regulation requires certain actions of the covered entity’s Chief Information Security Officer (CISO) and “Senior Governing Body.” For example, the CISO must report to senior leadership regarding “material cybersecurity issues” and changes to the entity’s cybersecurity posture. The Senior Governing Body is required to oversee and monitor the organizations’ cybersecurity program, which involves ensuring the entity has employees with sufficient knowledge and expertise to implement the program.      

Cybersecurity Awareness Training: The Cybersecurity Regulation specifies that entities must provide cybersecurity awareness training to employees at least annually, and that the training cover “social engineering.”

Risk Assessments: The Cybersecurity Regulation instituted enhanced risk amendment standards. Additionally, the Regulation makes clear that the organization’s risk assessment must be reviewed and updated annually and “whenever a change in the business or technology causes a material change to the covered entity’s cyber risk.”

Vulnerability Management: The Cybersecurity Regulation requires entities to annually conduct penetration testing from both inside and outside the boundaries of information systems, and a manual or automated review of all information systems for the purpose of identifying and remediating any vulnerabilities.

For more updates on data privacy law from McDonald Hopkins, please subscribe to receive our publications or view the links below for recent updates on other state data privacy legislative updates. And, if you have questions about your company’s compliance with cyber regulations, concerns about vulnerability to a ransomware attack or other breach, or if you want to learn more about proactive cybersecurity defense, contact a member of McDonald Hopkins' national data privacy and cybersecurity team.