Effective November 1, 2023, the New York Department of Financial Services issued its second amended Cybersecurity Regulation (the “Regulation,” 23 NYCRR Part 500). The amendment follows extensive public comments, some of which were reflected in the Regulation. Compliance is required by April 29, 2024 (180 days after the effective date), subject to the transition dates described below. Significant changes include:
There are also changes to enforcement provisions, and a new ability to request an exemption from electronic filing, as well as other adjustments to the Regulation. This article reviews the changes that are likely to be considered significant for many covered entities.
Class A Company Requirements
Under the Amendment, a “class A company” means a covered entity (i.e., a NY DFS licensee) with at least $20 million in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and the New York business operations of the covered entities affiliates, and either (i) over 2,000 employees averaged of the last two fiscal years, including affiliates, wherever located; or (ii) over $1 billion gross annual revenue in each of the last two fiscal year from all business operations of the covered entity at its affiliates wherever located. Only affiliates that share information systems, cybersecurity resources or (at least part of) a cybersecurity program with the covered entity are included.
As heightened requirements for class A companies, each class A company is required to:
The newly required “independent audit” can be conducted by internal or external auditors, who must be free to make decisions not influenced by the covered entity or its owners, managers or employees.
Notice of Cybersecurity Incidents, specifically including Ransomware and Extortion Payment
Notice had been required of certain cybersecurity events, which included “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an information system or information stored on such information system.” The Regulation adds a definition of cybersecurity incident to mean a cybersecurity event that has occurred at the covered entity, its affiliates, or a third-party service provider that: (1) impacts the covered entity and requires the covered entity to notify any government body, self-regulatory agency or any other supervisory body; (2) has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity; or (3) results in the deployment of ransomware within a material part of the covered entity’s information systems. The requirement to notify the superintendent of cybersecurity incidents (previously, events) has been revised (i) to reflect the fact that elements triggering the notice requirement are now incorporated into the definition of cybersecurity incident, which now includes certain ransomware events; and (ii) to emphasize that notice is required if the cybersecurity incident “has occurred at the covered entity, its affiliates, or a third-party service provider.”
In the event of an extortion payment made in connection with a cybersecurity event, such as a ransomware attack, the covered entity must notify the superintendent within 24 hours, and within 30 days provide a written description of (i) the reasons payment was necessary, (ii) alternatives to payment, (iii) diligence performed to find alternatives, and (iv) diligence to ensure compliance (including OFAC).
New Governance Requirements
The Regulation adds a definition of Chief Information Security Officer (CISO) to mean “a qualified individual responsible for overseeing and implementing a covered entity’s cybersecurity program and enforcing its cybersecurity policy.”
Also relevant to the new governance requirements, the Regulation defines “senior governing body” to mean the board of directors (or appropriate committee). Absent a Board or committee, the senior governing body means the senior officer or officers responsible for the cybersecurity program.
The Regulation adds an annual approval requirement for the cybersecurity policy.
The CISO must now report on a timely basis to the senior governing body or senior officer(s) on material cybersecurity issues.
The senior governing body is required to oversee cybersecurity risk management, including by
Vulnerability Management
The Regulation specifically requires written policies and procedures for vulnerability management, to conduct pen testing from both inside and outside the information systems, and automated scans and a manual review of systems to discover, analyze and report vulnerabilities, at a frequency determined by the risk assessment, and promptly after material systems changes. A monitoring process must promptly inform of new security vulnerabilities, which must be remediated on a timely basis.
Access Privileges and Management
The Regulation imposes specific requirements for limiting and managing access privileges, including to limit the number and access functions of privileged accounts; to review and remove unnecessary privileged accounts at least annually; to disable or securely configure protocols that permit remote control of devices; and promptly terminate access following departures.
Multi-factor Authentication
Covered entities must utilize multi-factor authentication for any individual accessing any information systems. If the covered entity qualifies for a limited exemption, then the multi-factor authentication shall be utilized for remote access to (i) the covered entity’s information systems, (ii) third party application (including cloud based) from which nonpublic information is accessible, and (iii) all privileged accounts other than service accounts that prohibit interactive login. The CISO may approve in writing the use of reasonably equivalent or more security compensating controls, which shall be reviewed at least annually.
Asset Management and Data Retention
The Regulation adds new, specific requirements for written policies and procedures related to assess inventory of information systems, including tracking, and frequency of required updates and validation.
Monitoring and Training
The Regulation adds requirements to implement risk-based controls to protect against malicious code, and training that includes social engineering.
Incident Response and Business Continuity
The Regulation expands the requirement for incident response plans to include specific and extensive provisions for operational resilience, business continuity and disaster recovery.
Annual Certificate of Compliance
The requirement for the annual certificate of compliance is revised to require data and documentation to support the certification, and which must be signed by the CISO and the highest ranking executive. In lieu of the certificate, the covered entity must file a written acknowledgment that the covered entity did not materially comply for the prior year, identify all sections of noncompliance, and the nature and extent of noncompliance; and provide a timeline for or confirmation of remediation.
Changes to Limited Exemptions
The Regulation adjusts the so-called small business exemptions, increasing the threshold for employees and independent contractors from 10 to 20, and deleting the previously confusing language related to the location or responsibility of personnel. The revenue threshold is increased from $5 million to $7.5 million, including revenues from all operations of the covered entity and New York operations of its affiliates. The threshold based on assets is increased from $10 million to $15 million.
The small business exemptions no longer apply to the requirements for multifactor authentication or cybersecurity awareness training.
The Regulation adjusts the limited exemptions as well, including to exempt certain individual insurance brokers.
Compliance and Transition Dates
As indicated above, the Regulation became effective November 1, 2023, with general compliance required within 180 days (or April 29, 2024), with certain provisions subject to transition dates:
Therefore, the provisions related to the limited exemptions other than the small business exemptions (Section 500.19(e)-(h)); enforcement (Section 500.20); effective date (Section 500.21), transition dates (Section 500.22), and exemptions from electronic filing (Section 500.24) will be enforceable April 24, 2024.
Sign up for our newsletter and get the latest to your inbox.