NYDFS Updates Its Cybersecurity Regulation To Protect Against Growing Cyber Threats
On November 1, 2023, New York Governor Hochul announced updates to the New York Department of Financial Services (NYDFS) Cybersecurity Regulation. These updates follow the NYDFS’s proposed Second Amendment to its Cybersecurity Regulation to strengthen the initial regulations and to protect cybersecurity programs from potential threats.
Background on the Cybersecurity Regulation
On March 1, 2017, New York’s Cybersecurity Regulation went into effect. This regulation set forth then-new standards for any organization regulated by the NYDFS, including financial institutions, insurance companies, mortgage brokers, and banks. The standards included new obligations relating to record retention, notices, and reporting obligations regarding security incidents. The Cybersecurity Regulation was initially amended in April 2020.
On June 28, 2023, the New York State Department of Financial Services (NYDFS) published a Revised Proposed Second Amendment to its Cybersecurity Regulation. The Amendment furthers the goal of NYDFS to ensure covered entities are taking preventative measures to protect customer information and information technology systems from new and evolving threats.
The Second Amendment to the Cybersecurity Regulation introduces further restrictions and additional clarity and regulations in the following areas:
- Clarification of “Class A Company” Definition
o A “Class A Company” is a covered entity with at least $20 million in gross annual revenue in each of the last two fiscal years from business operations of the entity and its affiliates in New York and: (1) over 2,000 employees averaged over the last two fiscal years across both the entity and its affiliates or (2) over $1 billion in gross revenue in each of the last two fiscal years from all business operations of the entity and its affiliates.
- Governance Requirements
o Clarify that the duty of the senior governing body (i.e., a board of directors or its equivalent) is to provide effective oversight of the cybersecurity program.
o Class A Companies must conduct a risk assessment at least every 3 years.
o Covered entities must engage in annual testing of the prescribed Incident Response Plan (IRP) and Business Continuity and Disaster Recovery Plan (BCDRP).
- Security Measures
o Information systems owned and controlled by Class A Companies are required to implement an automated password block.
o The Multifactor Authentication (MFA) requirements have been expanded to be more aligned with the requirements under the FTC Safeguards Rule.
o Covered entities are compelled to adopt new controls to prevent unauthorized access to information systems, conduct more regular risk assessments, and maintain robust incident response planning procedures.
- Notifications and Certifications to NYDFS
o Cybersecurity event reporting must make clear whether an event occurred at the covered entity or its service provider.
o The annual certification of compliance now permits covered entities to submit a written acknowledgment that they did not fully comply with all requirements.
o Covered entities are required to adhere to updated notification requirements, including a new requirement to report ransomware extortion payments to NYDFS within 24 hours of the payment.
Timing of the New Requirements
The updates to the Cybersecurity Regulation will take effect at various times.
- Regulated entities will generally have until April 29, 2024, to comply with the amended regulation;
- New reporting requirements will take effect on December 1, 2023; and
- Other specific compliance dates can also be found on the NYDFS cybersecurity resource center.
In the following weeks, NYDFS will host an upcoming series of training sessions on the amended cybersecurity regulation to help regulated entities plan for compliance. If your business is a covered entity under the NYDFS Cybersecurity Regulation, you should begin to take appropriate steps to ensure compliance with these requirements and updates.
Are you regulated by New York’s Department of Financial Services? Contact one of McGrath North’s privacy and compliance experts for all of your questions relating to the NYDFS Cybersecurity Regulation and its newest updates.
Related Attorneys
