Intelligence in Compliance
Getty Images 509120228

NYDFS Second Amendment to 23NYCRR500: Changes and Updates to the Regulation

Background on NYDFS and 23 NYCRR Part 500

On March 1, 2017, the New York State Department of Financial Services (NYDFS) enacted a regulation establishing cybersecurity requirements for financial services companies, called 23 NYCRR Part 500 (referred to below as “Part 500” or “the Cybersecurity Regulation”).

Since the regulation was adopted, the cybersecurity landscape has evolved tremendously as threat actors have become more sophisticated and more prevalent. Cyberattacks have become easier to perpetrate (such as with ransomware as a service) and more expensive to remediate. Moreover, the Department has found, from investigating hundreds of cybersecurity incidents, that there is a tremendous amount that organizations can do to protect themselves.

As a result, Part 500 was amended to include additional requirements around cybersecurity, effective November 1, 2023. This article includes a summary of the critical changes, a timeline for implementation, and specific actions for affected organizations.

Summary of Critical Changes

The recent amendments to Part 500 have introduced several key changes to fortify the cybersecurity posture of covered entities under NYDFS.

Classification of Class A Companies:

  • A new category termed "Class A companies" has been introduced, defined as covered entities with at least $20,000,000 in gross annual revenue in each of the last two fiscal years from business operations in NY and either more than 2,000 employees (including those of the covered entity and all its affiliates) or more than $1,000,000,000 in gross annual revenue average over the last three fiscal years from all business operations of the covered entity and its affiliates​. (3)

Additional Requirements for Class A Companies:

  • Independent Cybersecurity Audits: Required to conduct independent audits of their cybersecurity programs at least annually by external auditors.
  • Risk Assessments: All covered entities are required to complete risk assessments at least annually or when there's a material change in business or technology that alters the cybersecurity risk. Class A companies must also utilize external experts for a risk assessment at least once every three years.
  • Monitoring Privileged Access: Implementation of password vaulting solutions for privileged accounts and monitoring of privileged access activity is required.
  • Endpoint Detection and Response Solutions: Implementation of solutions to monitor anomalous activity and centralize logging and security event alerting.

Enhanced Cybersecurity Governance:

  • More Frequent Board Reporting: Increased frequency in board reporting along with demonstrated cybersecurity expertise on the board.
  • Assignment and Authority of a Chief Information Security Officer (CISO): Ensuring the CISO has adequate authority for managing cybersecurity risks, including the ability to direct sufficient resources for implementing and maintaining a cybersecurity program.
  • Annual Reports by CISO to the Board: Covering various aspects like the confidentiality of nonpublic information, integrity and security of systems, material cybersecurity risks, effectiveness of the cybersecurity program, and plans for remediating material inadequacies.

Business Continuity and Disaster Recovery (BCDR) Plan:

  • Covered entities are required to maintain and test a BCDR Plan to ensure the availability and functionality of the covered entity’s services and protect the covered entity’s personnel, assets, and nonpublic information in the event of an emergency or other disruption of normal business activities.

Stringent Notification Requirements:

  • Covered entities are required to notify the superintendent within 72 hours of a cybersecurity event where an unauthorized user has gained access to a privileged account or an event that resulted in the deployment of ransomware within a material part of the covered entity’s information system. ​​.
  • Covered entities must provide notice and explanation of extortion payment in the event of a payment made in connection with a cybersecurity event. The notice of payment must be filed within 24 hours of payment followed by a written description of the reasons payment was necessary within 30 days of payment.

Augmented Security Safeguards:

  • New or enhanced security safeguards, including expanded scope of risks assessments and penetration testing, email and web filtering, encryption, and multi-factor authentication alongside other areas like privileged access, asset inventory, data retention, device removal, remote access, response notification, and vulnerability management with timely notification of new vulnerabilities and consideration toward timely remediation.

Training Requirements:

  • Amendment of training requirements now require employee training at least annually, along with social engineering exercises. Training at least once a year is also required specifically for staff, senior officers, and high-ranking executives critical to the business continuity and disaster recovery plan

Changes to Exemptions:

  • Expansion of the limited exemption to a covered entity with fewer than 20 total employees; less than $7.5 million in gross annual revenue in each of the last three fiscal years; or less than $15 million in year-end total assets. Entities must certify they qualify for the limited exemption, and if an entity no longer qualifies, the time to comply is reduced to 180 days​​​.

Timeline of Changes Required in 2023 and First Half of 2024

Date of change

Regulation

Summary of change

December 1, 2023500.17
  • Notify DFS of cybersecurity events reported to other authorities or that have a reasonable likelihood of materially harming any material part of normal operations continues to be required.
  • Cybersecurity events that involve ransomware deployment and any ransom payments made must now be reported.
April 15, 2024500.17(b)
  • Submit either Certification of Material Compliance or Acknowledgment of Noncompliance for calendar year 2023. Both annual submissions must be signed by the highest-ranking executive and the CISO.
April 29, 2024500.9
  • Risk assessments, which continue to be required, must now be reviewed and updated at least annually, and whenever a change in the business or technology causes a material change to the business’ cyber risk.
April 29, 2024500.3
  • Cybersecurity policies must be annually reviewed and approved by senior governing body or senior officer(s) and procedures must also be documented. After assessing risks, Covered Entities must update policies and procedures to address these additional areas if needed:
    • Data retention
    • End of life management
    • Remote access
    • Systems and network monitoring
    • Security awareness and training
    • Systems and application security
    • Incident notification
    • Vulnerability management
April 29, 2024500.5(a)(1), (b), and (c)
  • Conduct at least annual penetration testing from inside and outside information systems’ boundaries.
  • Have a monitoring process in place to promptly inform of new security vulnerabilities. Prioritize and timely remediate vulnerabilities based on risk
April 29, 2024500.14(a)(3)
  • Cybersecurity awareness training must now include social engineering and must be provided at least annually.

Bottom Line on 23 NYCRR Part 500

Any financial institutions regulated by NYDFS should be aware of the new amendments to Part 500, meant to enhance their cybersecurity programs. Companies should consult legal counsel in relation to definitions and classifications of “Class A Companies” and other related language that could impact them.

NYDFS has laid out specific dates that new requirements need to be implemented by (refer to timeline above). Penalties can be imposed for a single violation of the new regulations, so companies should be informed of the new dates for incorporating these changes. (5)

Financial institutions should consider planning for these changes immediately, prioritizing the reporting changes that go into effect December 1st of 2023. Other productive steps include performing a thorough review of the current gaps in compliance, and building a roadmap to ensure all new requirements are met by the defined deadlines. Certain requirements, like implementing a vulnerability management program, can take significant time and resources even when planned well.

Echelon Risk + Cyber can assist covered entities in enhancing their cybersecurity program to become compliant with the new amended Part 500 regulations and more related compliance frameworks.

Sources:

Sign up to get Cyber Intelligence Weekly in your inbox.