The New York State Department of Financial Services (NYDFS) adopted comprehensive amendments to its cybersecurity regulations (known as Part 500) on Nov. 1. The draft amendments were first published in July 2022 and finalized after three rounds of public comment. The amendments take effect on Dec. 1, 2023, with “transitional periods” of up to 24 months from the date of publication for covered entities to comply with certain provisions.[1]
One of the biggest changes to Part 500 is the creation of a new class of covered entity called “Class A Companies.” A “covered entity” under the NYDFS is any person, partnership, or other entity operating or required to operate under a license, registration, charter, permit, or similar authorization under New York’s Banking Law, Insurance Law, or Financial Services Law, regardless of whether the covered entity is also regulated by other government agencies.
Under the amendments, “Class A Companies” are defined as covered entities that have over $20 million in gross annual revenue in each of the past two years from all business operations of the covered entity and the business operations in New York of its affiliates, and either (1) have over 2,000 employees worldwide or (2) have over $1 billion in gross annual revenue worldwide. When calculating the number of employees and gross annual revenue, covered entities should only include affiliates that share information systems, cybersecurity resources or any part of a cybersecurity program with the covered entity.
The heightened requirements for Class A Companies include:
The chief information security officer (CISO) may approve the use of reasonably equivalent, or more secure, alternatives to endpoint detection and response logging but must document and review those controls annually.
Starting Dec. 1, 2023, all covered entities must notify the NYDFS within 72 hours of any “cybersecurity event” that:
A “cybersecurity event” is defined as any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an information system or the information stored thereon, and includes the systems of a covered entity’s affiliates. The NYDFS considers any ransomware deployment within the covered entity’s or its affiliates’ systems an event that requires notice, regardless of whether the ransomware had a material impact.
Additionally, covered entities must notify the NYDFS within 24 hours of paying a ransom or making any other payment in connection with a cybersecurity event. Within 30 days thereafter, the covered entity must also provide a written description of the reasons the payment was necessary, a description of the alternatives considered, all diligence the entity performed to find alternatives to payment, and all diligence performed to ensure compliance with sanctions lists and other regulations before payment.
By April 29, 2024, covered entities must update their internal risk assessments, and they must continue to do so at least annually or whenever a change in operations or technology causes a material change to the business’s cyber risk.
After updating their risk assessments, covered entities must also update their cybersecurity policies. The amendments add the following to the existing list of topics that these cybersecurity policies should address:
The amendments also require all covered entities to update their cybersecurity policies at least annually, beginning April 29, 2024.
In pursuit of greater cybersecurity oversight, the amendments define the new term “senior governing body” as “the board of directors (or an appropriate committee thereof) or equivalent governing body or, if neither of those exist, the senior officer or officers of a covered entity responsible for the covered entity’s cybersecurity program.”
Starting April 29, 2024, the senior governing body must approve all cybersecurity policies and procedures at least annually and must review all risk assessments obtained or conducted by management.
By Nov. 1, 2024, the senior governing body must begin exercising oversight of a covered entity’s cybersecurity risk management. At minimum, the amendments require the senior governing body to:
Although Part 500 already referred briefly to CISOs, the amendments add a definition for this role, which reads “a qualified individual responsible for overseeing and implementing a covered entity’s cybersecurity program and enforcing its cybersecurity policy.” The amendments also enumerate new tasks for the CISO.
While the CISO was previously required to submit an annual cybersecurity report, the amendments make clear that the CISO must submit that report in writing to the senior governing body at least annually. The CISO’s annual report should include the covered entity’s cybersecurity program and material cybersecurity risks. Beginning Nov. 1, 2024, the CISO must update the annual report to include plans for remediating material cybersecurity inadequacies.
Also commencing Nov. 1, 2024, the CISO must give timely updates to the senior governing body on any material cybersecurity issues that arise, such as significant cybersecurity events and significant changes to the covered entity’s cybersecurity program. Finally, the CISO must implement a written data encryption policy, covering all nonpublic information both at rest and in transit, that meets industry standards. The CISO may approve alternative compensating controls where encryption is infeasible, but must document such controls and review them at least annually.
By Nov. 1, 2025, all covered entities must develop written policies and procedures designed to maintain a complete asset inventory of its information systems. This inventory must track at least the following information for each asset:
While the existing Part 500 contained modest references to incident response plans, the amendments add to these incident response requirements and create specific mandates for business continuity and disaster recovery (BCDR) plans as well. By Nov. 1, 2024, covered entities must maintain BCDR plans that are designed to ensure the availability and functionality of a covered entity’s information systems and material services, and they must also protect its personnel, assets and data. These BCDR plans must, at minimum:
Covered entities must also ensure that current copies of the BCDR plans are accessible to all employees necessary to implement such plans during a cybersecurity event, and must train all such employees on how to implement the plans. The incident response and BCDR plans must be tested no less than annually. Finally, all covered entities must maintain backups of data necessary to restore material operations and must test their restoration procedures at least annually.
By May 1, 2025, the amendments require covered entities to conduct penetration testing at least annually, from both inside and outside the information systems’ boundaries. The amendments also require automated scans of covered entities’ information systems that are designed to discover, analyze and report on vulnerabilities, at a frequency determined by each entity’s risk assessment. Manual review must be performed for all systems not covered by the automated scans. The amendments further require new policies and procedures designed to promptly identify new vulnerabilities and timely remediate them, with such timing correlated to their potential risk factors.
The amendments list a number of new requirements surrounding access control and password management, including requiring covered entities to follow principles of least privilege, limiting the number of accounts with privileged access, timely reviewing and removing terminated credentials, and maintaining a written password policy. Covered entities must implement these access and password controls by May 1, 2025.
The amendments also require covered entities to use MFA for anyone accessing their information systems. The CISO may approve the use of reasonably equivalent, or more secure, alternatives to MFA as compensating controls, but must document and review those controls annually.
Although cybersecurity awareness training was already required under Part 500, the amendments require covered entities to provide such training to employees at least annually. The amendments also require that cybersecurity training specifically include social engineering, beginning April 29, 2024.
By April 15, 2024, and continuing every year thereafter, covered entities must submit a signed statement certifying that the entity materially complied with Part 500 for the preceding year, or alternatively a written acknowledgment that it did not comply. Any acknowledgment of noncompliance must identify the sections of Part 500 with which the entity did not comply and provide a remediation timeline for coming into compliance. All certifications of material compliance, or written acknowledgments of noncompliance, must be signed each year by both the covered entity’s highest-ranking executive (e.g., CEO) and the CISO (or if there is no CISO, the next-highest-ranking person responsible for the company’s cybersecurity program).
Please reach out to the Kramer Levin privacy and cybersecurity team for assistance with this and other cybersecurity requirements.
[1] The amendments make certain exceptions and extend some deadlines for small businesses, which are defined as a covered entity with fewer than 20 employees, less than $7.5 million in gross annual revenue in each of the past three years or less than $15 million in year-end total assets. Unless otherwise noted, the deadlines in this article do not consider any extensions for small businesses.