NYDFS Updates Regulated Firms on Upcoming Cyber Requirements

Financial firms doing business in New York should be mindful of a recent e-blast sent by the state’s financial regulator concerning cybersecurity requirements that become effective in less than two months. The New York Department of Financial Services (DFS), in a “Cybersecurity Regulation Updates and Reminders” e-blast on Feb. 27, 2025, discusses annual compliance requirements under DFS’ cybersecurity regulation, 23 NYCRR Part 500 (Part 500), and alerts covered entities to new requirements under Part 500 taking effect on May 1, 2025, including requirements relating to access management, vulnerability management and protections against malicious code.

The e-blast reminds recipients that entities covered under Part 500 (generally, banks, insurance companies and other financial firms, collectively “covered entities”) must submit annual compliance notifications to DFS. The e-blast states, “Covered entities now have the option to submit either a Certification of Material Compliance (certifying they materially complied with [Part 500] requirements that were applicable to them in the prior year) or an Acknowledgement of Noncompliance (identifying all sections of [Part 500] with which they have not complied and providing a remediation timeline).” By April 15, 2025, covered entities other than those fully exempt from Part 500 must submit one of these filings for the 2024 calendar year. Covered entities that qualify for limited exemptions still must submit an annual notification regarding their compliance.

The e-blast goes on to explain that on May 1, 2025 (which is 18 months from the effective date of Part 500’s second amendment), additional requirements take effect:

• All covered entities, other than those completely exempt from Part 500, must
  • “Implement enhanced requirements regarding limiting user access privileges, including privileged account access.
  • Review access privileges and remove or disable accounts and access that are no longer necessary.
  • Disable or securely configure all protocols that permit remote control of devices.
  • Promptly terminate access following personnel departures.
  • Implement a reasonable written password policy to the extent passwords are used.”
    
    
• Covered entities (whether Class A or not) must observe the following Part 500 requirements, except that covered entities qualifying for the exemption for smaller firms need not comply with these, as explained below.
  • The covered entity must conduct “automated scans of information systems, and a manual review of systems not covered by such scans to discover, analyze, and report vulnerabilities at a frequency determined by their risk assessment and promptly after any material system changes.”
  • The covered entity must implement controls to protect against malicious code.

Each covered entity with (1) fewer than 20 employees and independent contractors of the covered entity and its affiliates; (2) less than $7.5 million in gross annual revenue in each of the last three fiscal years from all business operations of the covered entity and the business operations in New York of the covered entity’s affiliates; or (3) less than $15 million in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all affiliates, qualify for this smaller-firm exemption and need not comply with the requirements in the two bullets immediately above.

• Class A entities (explained below) must implement (1) an endpoint detection and response solution to monitor anomalous activity and (2) a centralized logging and security event alert solution. Chief information security officers, or CISOs, can approve reasonably equivalent or more secure compensating controls, but the approval must be in writing.

A Class A entity is a covered entity that had at least $20 million in gross annual revenue in each of the last two fiscal years from (x) all business operations of the covered entity and (y) the business operations in New York of the covered entity’s affiliates and that has either (1) over 2,000 employees averaged over the last two fiscal years, including employees of both the covered entity and all of its affiliates no matter where located, or (2) over $1 billion in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and all of its affiliates no matter where located. For the purposes of this definition, when calculating the number of employees and gross annual revenue, affiliates include only those that share information systems, cybersecurity resources or all or any part of a cybersecurity program with the covered entity.

The e-blast also announces two new FAQs on the DFS site concerning New York’s Stop Hacks and Improve Electronic Data Security Act (N.Y. Gen. Bus. Law § 899-aa), or SHIELD Act. The FAQs clarify that:

• The SHIELD Act does not require businesses and individuals that are not regulated by DFS to notify DFS of a data breach. Only DFS-regulated entities are required to provide this notification, as and when required under Part 500.
• The amendment to the SHIELD Act signed by Gov. Kathy Hochul on Feb. 14, 2025 (to the effect that notice to the DFS is required only if the person or business is a covered entity) does not limit or modify any reporting requirements currently imposed on covered entities.