10-15-24 Amended NYSDFS Cybersecurity Regulations
On November 1, 2023, New York Department of Financial Services (NYSDFS) released the finalized revisions to 23 NYCRR Part 500 (the “Cybersecurity Regulations”)[1]. We thought it might be helpful for our friends and clients to have a summary of the current status and applicability of the amended Cybersecurity Regulations. To learn more about the upcoming round of requirements going into effect on November 1, 2024, and May 1, 2025, click on this link to the article “Update on NYSDFS Cybersecurity Regulations.”
Applicability
The Cybersecurity Regulations apply to Covered Entities, which are further divided into Class A Companies which have heightened requirements, and Small Businesses, with somewhat less stringent compliance requirements and reporting processes.
A Covered Entity includes all DFS-regulated organizations. Covered Entities are defined as any individual or non-governmental partnership, corporation, branch, association, or other entity operating or required to obtain a license or similar authorization under New York’s Banking Law, Insurance Law, or Financial Services Law. For example, state-chartered banks, mortgage brokers, and insurance brokers and agencies are Covered Entities. Portions of the Cybersecurity Regulations further recognize and apply to third-party service providers and other related business roles, such as employees and contractors, that participate in the Covered Entity’s business operations and are authorized to access its information systems and data.
A Class A Company is a Covered Entity that has at least $20 million in gross annual revenue in each of the last two fiscal years from all business operations and either: 1) employed at least 2,000 employees averaged over the last two fiscal years or 2) generated over $1 billion in gross annual revenue in each of the last two fiscal years from all business operations. Class A Companies are subject to more stringent requirements.
Small Businesses are Covered Entities that qualify for a limited exemption from some of the Cybersecurity Regulations’ requirements but still have comprehensive obligations under the Cybersecurity Regulations. There are three ways a Covered Entity can qualify for the exemption:
- The Covered Entity and all of its affiliates combined have fewer than 20 employees and independent contractors,
- The Covered Entity and all of its affiliates combined generated less than $7.5 million in gross annual revenue in each of the last three years from all business operations in New York, or
- The Covered Entity and all of its affiliates combined hold less than $15 million in year-end total assets.
Small Businesses must file a Notice of Exemption with the DFS.
Requirements in Effect
Covered Entities, Class A Companies, and Small Businesses must implement and maintain a written policy or policies for the protection of their information systems.
Covered Entities and Class A Companies are required to appoint a senior governing body to oversee cybersecurity risk management. Each Covered Entity must appoint a Chief Information Security Officer (CISO). Small Businesses are exempt from this requirement.
Risk assessments continue to be required of Covered Entities, Class A Companies, and Small Businesses but must now be reviewed and updated at least annually and whenever a change in the business or technology causes a material change to the business’s cyber risk.
At a minimum, Covered Entities and Class A Companies must perform annual penetration testing from both inside and outside the information systems' boundaries by a qualified party. All vulnerabilities must be timely remediated and prioritized by risk posed. Penetration testing differs from the automated scans requirement that becomes effective in May of 2025. Small Businesses are exempt from this requirement.
Covered Entities and Class A Companies must annually provide cybersecurity awareness training that includes information about social engineering. Class A Companies must design and conduct independent audits of their cybersecurity program.
In response to a cybersecurity incident, Covered Entities, Class A Companies, and Small Businesses are still required to report the incident to the NYDFS Superintendent within 72 hours of determining the event occurred. The Cybersecurity Regulations now require the same reporting for cybersecurity incidents occurring at any affiliates or third-party service providers.
If, in response to a cybersecurity incident, a Covered Entity, Class A Company, and Small Business makes an extortion payment, the entity must provide notice within 24 hours of payment or notice of payment to the Superintendent. Within 30 days of the payment, a written description of the reasons payment was necessary and the due diligence done on the decision must also be sent to the Superintendent.
Covered Entities, Class A Companies, and Small Businesses must still provide a compliance certification to the Superintendent. The amendment revised the process to certify that the entity materially complied with the requirements in the past calendar year. Alternatively, the entity may state that it failed to materially comply, identify the nature and extent of their noncompliance, and include a timeline for remediation. These are due annually on April 15.
Conclusion
We are prepared to help your company comply with the requirements of the amended 23 NYCRR 500. If you have any questions, please reach out to your Woods Oviatt Gilman attorney or any member of the Business and Tax Department at Woods Oviatt Gilman LLP.
[1] N.Y. Comp. Codes R. & Regs. tit. 23, § 500.0-500.24.
