On November 1, 2023, New York Governor Kathy Hochul announced that the New York Department of Financial Services (“NYDFS”) finalized amendments to its Part 500 Cybersecurity Regulations (“Final Amendments”)—the first significant change to the regulations since their inception in March 2017. The Final Amendments generally track previous NYDFS proposed amendments—including the November 9, 2022 proposal that we covered here—with certain important changes.
For example, in response to comments requesting that NYDFS use the term “cybersecurity incident” (instead of “cybersecurity event”) to align with language in other regulations, NYDFS added the term “cybersecurity incident” with respect to reporting obligations (§ 500.17), though retained the old term in other provisions. NYDFS also pared back the proposed requirement to provide updates to NYDFS regarding a cybersecurity incident by tailoring the reporting obligation in § 500.17(a)(2) to “update the superintendent with material changes or new information previously unavailable.”
Key Takeaways from the Final Regulations
Enhanced Cybersecurity Incident Notifications. The Final Amendments require 72-hour notice to NYDFS after determining that a cybersecurity incident has occurred at the covered entity, its affiliates, or a third-party service provider. Notice must be made electronically in a form on the NYDFS website. The Final Amendments also impose a 24-hour notification obligation in the event an extortion payment is made and a 30-day requirement to provide a written description of why payment was necessary, the alternatives considered, and diligence conducted to find such alternatives.
NYDFS defines “cybersecurity incident” as a cybersecurity event that has occurred at the covered entity, its affiliates, or a third-party service provider that either:
- Impacts the entity and requires it to notify any government body, self-regulatory agency or any other supervisory body;
- Has a reasonable likelihood of materially harming any material part of normal operations; or
- Results in the deployment of ransomware within a material part of the entity’s information systems.
New Requirements for Larger Companies. The Final Amendments create additional requirements for “Class A” companies, which include entities with an in-state (New York) gross annual revenue of at least $20 million in each of the last two fiscal years and (1) over 2,000 employees averaged over the last two fiscal years (including employees working at an affiliate), or (2) more than $1 billion in gross revenue in each of the last two fiscal years from all operations. New obligations for “Class A” companies include:
- Independent audits of cybersecurity programs based on a risk assessment;
- A privileged access management solution;
- An automated method of blocking commonly used passwords for all accounts on information systems owned or controlled by the company and wherever feasible for all other accounts;
- An endpoint detection and response solution to monitor anomalous activity, including lateral movement; and
- A solution that centralizes logging and security event alerting.
Requirements for Covered Entities. The Final Amendments require all covered entities to perform an annual risk assessment incorporating threat and vulnerability analyses. Additionally, companies will need to develop procedures around maintaining a robust asset inventory, which includes a method to track key information for each asset, including the (1) owner, (2), location, (3) classification or sensitivity, (4) support expiration date, and (5) recovery time requirements. Protecting assets and information is, not surprisingly, a continued priority for NYDFS. For example, the Final Amendments require certain covered entities to adopt multi-factor authentication (“MFA”) for remote access to both information systems and third-party applications, as well as all privileged accounts other than service accounts that prohibit interactive login.
Expanded Governance Obligations. NYDFS continues its focus on the accountability of boards and senior management. A covered entity’s Chief Information Security Officer (“CISO”) must be a “qualified individual responsible for overseeing and implementing a covered entity’s cybersecurity program and enforcing its cybersecurity policy.” Additional governance requirements include:
- Annual CISO reports to the board;
- CISO reports to the board or other senior executive on material cybersecurity issues including significant cybersecurity events and significant changes to the covered entity’s cybersecurity program;
- Compliance certifications signed by the “highest-ranking executive” and the CISO; and
- That the board exercise oversight of and provide direction to management on cybersecurity risk management.
The board must have a “sufficient understanding of cybersecurity-related matters,” receive regulatory updates on the cybersecurity program, and also provide sufficient resources for managing the program.
Enforcement. Any failure to comply with any portion of the Cybersecurity Regulations is, under the Final Amendments, a violation of the rules. Specifically, such acts or failures include, without limitation: (1) the failure to secure or prevent unauthorized access to an individual’s or an entity’s
nonpublic information due to noncompliance with any section, or (2) the material failure to comply for any 24-hour period with any section. Notably, however, NYDFS will consider various mitigating factors that contributed to noncompliance including good faith, any history of prior violations, extent of harm to consumers, gravity of the violation, whether the incident was an isolated event, and accurate and timely disclosure to affected consumers.
NYDFS has proposed several compliance dates, all based off the effective date of November 1, 2023. While most changes will take effect in 180 days (Monday, April 29, 2024), some provisions are effective immediately, including:
- § 500.19(e-h): Various exemptions;
- § 500.20: Enforcement requirements;
- § 500.21: Effective date;
- § 500.22: Compliance timeline; and
- § 500.24: Filing requirements.
As the cybersecurity landscape continues to change, financial institutions should review their cyber programs and incident response protocols and develop a plan to address the updated Part 500 Cybersecurity Regulations, if applicable. Ropes & Gray will continue to monitor NYDFS developments. Subscribe to RopesDataPhiles for updates.