10-15-24 Update on NYSDFS Cybersecurity Regulations

Update on NYSDFS Cybersecurity Regulations

The next round of requirements from New York’s cybersecurity regulations will come into effect on November 1, 2024. A second set will come into effect on May 1, 2025. In November 2023, the New York Department of Financial Services (NYSDFS) finalized revisions to its cybersecurity regulations (the “Cybersecurity Regulations”)[1] which aimed to address the prevalence and increasing sophistication of cyberattacks. These new regulations will impose additional requirements on businesses which are licensed by the NYSDFS. For an overview of the Cybersecurity Regulations as a whole, please click on this article “Amended NYSDFS Cybersecurity Regulations.”

Requirements Effective November 1, 2024

As of November 1, 2024, CISOs must comply with increased internal reporting requirements. The senior governing body overseeing the Covered Entity’s cybersecurity program must exercise oversight of risk management.[2]

Written policies requiring industry-standard encryption must be implemented. Use of effective alternative compensating controls of nonpublic information in transit over external networks is no longer allowed, while use of such alternative controls may be used for nonpublic information at rest so long as it is approved by the CISO in writing.

Incident response plans and business continuity and disaster response plans must be in place and updated as specified in the Cybersecurity Regulations. Employees involved in the plans’ implementation must be trained, and the plans must be tested annually. The ability to restore critical data and information systems must be tested annually as well.

Small Businesses are exempt from the new requirements effective November 1.[3]

Requirements Effective May 1, 2025

As of May 1, 2025, Covered Entities and Class A Companies must conduct automated scans of information systems and manually review systems not covered by such scans to discover, analyze, and report vulnerabilities.[4] These scans must be conducted periodically based on the Covered Entity’s risk assessment and promptly after any material system change.

Covered Entities, Class A Companies, and Small Businesses must implement enhanced requirements regarding access privileges and implement a reasonable written password policy. Class A Companies face heightened access privilege requirements.

Covered Entities and Class A Companies must implement controls to protect against malicious code. Class A Companies must further implement endpoint detection and response solutions.

Conclusion

The Superintendent is tasked with enforcement of the Cybersecurity Regulations and may consider the current extent of company compliance and the good faith of the company in striving for complete compliance.

We are prepared to help your company navigate the requirements of the amended 23 NYCRR 500. If you have any questions, please reach out to your Woods Oviatt Gilman attorney or any member of the Business and Tax Department at Woods Oviatt Gilman LLP.

[1] See 23 NYCRR Part 500.

[2] Covered Entities are defined as any individual or non-governmental partnership, corporation, branch, association, or other entity operating or required to obtain a license or similar authorization under New York’s Banking Law, Insurance Law, or Financial Services Law. For example, state-chartered banks, mortgage brokers, insurance brokers and agencies, and service providers are Covered Entities.

[3] There are three ways a Covered Entity qualifies as a Small Business: 1) the Covered Entity and all of its affiliates combined have fewer than 20 employees and independent contractors; 2) the Covered Entity and all of its affiliates combined generated less than $7.5 million in gross annual revenue in each of the last three years from all business operations in New York; or 3) the Covered Entity and all of its affiliates combined hold less than $15 million in year-end total assets.

[4] Class A Companies are Covered Entities that have at least $20 million in gross annual revenue in each of the last two fiscal years from all business operations and either: 1) employed at least 2,000 employees averaged over the last two fiscal years or 2) generated over $1 billion in gross annual revenue in each of the last two fiscal years from all business operations.