Background on NYDFS and 23 NYCRR Part 500
On March 1, 2017, the New York State Department of Financial Services (NYDFS) enacted a regulation establishing cybersecurity requirements for financial services companies, called 23 NYCRR Part 500 (referred to below as “Part 500” or “the Cybersecurity Regulation”).
Since the regulation was adopted, the cybersecurity landscape has evolved tremendously as threat actors have become more sophisticated and more prevalent. Cyberattacks have become easier to perpetrate (such as with ransomware as a service) and more expensive to remediate. Moreover, the Department has found, from investigating hundreds of cybersecurity incidents, that there is a tremendous amount that organizations can do to protect themselves.
As a result, Part 500 was amended to include additional requirements around cybersecurity, effective November 1, 2023. This article includes a summary of the critical changes, a timeline for implementation, and specific actions for affected organizations.
Summary of Critical Changes
The recent amendments to Part 500 have introduced several key changes to fortify the cybersecurity posture of covered entities under NYDFS.
Classification of Class A Companies:
- A new category termed "Class A companies" has been introduced, defined as covered entities with at least $20,000,000 in gross annual revenue in each of the last two fiscal years from business operations in NY and either more than 2,000 employees (including those of the covered entity and all its affiliates) or more than $1,000,000,000 in gross annual revenue average over the last three fiscal years from all business operations of the covered entity and its affiliates. (3)
Additional Requirements for Class A Companies:
- Independent Cybersecurity Audits: Required to conduct independent audits of their cybersecurity programs at least annually by external auditors.
- Risk Assessments: All covered entities are required to complete risk assessments at least annually or when there's a material change in business or technology that alters the cybersecurity risk. Class A companies must also utilize external experts for a risk assessment at least once every three years.
- Monitoring Privileged Access: Implementation of password vaulting solutions for privileged accounts and monitoring of privileged access activity is required.
- Endpoint Detection and Response Solutions: Implementation of solutions to monitor anomalous activity and centralize logging and security event alerting.
Enhanced Cybersecurity Governance:
- More Frequent Board Reporting: Increased frequency in board reporting along with demonstrated cybersecurity expertise on the board.
- Assignment and Authority of a Chief Information Security Officer (CISO): Ensuring the CISO has adequate authority for managing cybersecurity risks, including the ability to direct sufficient resources for implementing and maintaining a cybersecurity program.
- Annual Reports by CISO to the Board: Covering various aspects like the confidentiality of nonpublic information, integrity and security of systems, material cybersecurity risks, effectiveness of the cybersecurity program, and plans for remediating material inadequacies.
Business Continuity and Disaster Recovery (BCDR) Plan:
- Covered entities are required to maintain and test a BCDR Plan to ensure the availability and functionality of the covered entity’s services and protect the covered entity’s personnel, assets, and nonpublic information in the event of an emergency or other disruption of normal business activities.
Stringent Notification Requirements:
- Covered entities are required to notify the superintendent within 72 hours of a cybersecurity event where an unauthorized user has gained access to a privileged account or an event that resulted in the deployment of ransomware within a material part of the covered entity’s information system. .
- Covered entities must provide notice and explanation of extortion payment in the event of a payment made in connection with a cybersecurity event. The notice of payment must be filed within 24 hours of payment followed by a written description of the reasons payment was necessary within 30 days of payment.
Augmented Security Safeguards:
- New or enhanced security safeguards, including expanded scope of risks assessments and penetration testing, email and web filtering, encryption, and multi-factor authentication alongside other areas like privileged access, asset inventory, data retention, device removal, remote access, response notification, and vulnerability management with timely notification of new vulnerabilities and consideration toward timely remediation.
- Amendment of training requirements now require employee training at least annually, along with social engineering exercises. Training at least once a year is also required specifically for staff, senior officers, and high-ranking executives critical to the business continuity and disaster recovery plan
Changes to Exemptions:
- Expansion of the limited exemption to a covered entity with fewer than 20 total employees; less than $7.5 million in gross annual revenue in each of the last three fiscal years; or less than $15 million in year-end total assets. Entities must certify they qualify for the limited exemption, and if an entity no longer qualifies, the time to comply is reduced to 180 days.
Timeline of Changes Required in 2023 and First Half of 2024
Date of change
Summary of change
|December 1, 2023||500.17|
|April 15, 2024||500.17(b)|
|April 29, 2024||500.9|
|April 29, 2024||500.3|
|April 29, 2024||500.5(a)(1), (b), and (c)|
|April 29, 2024||500.14(a)(3)|
Bottom Line on 23 NYCRR Part 500
Any financial institutions regulated by NYDFS should be aware of the new amendments to Part 500, meant to enhance their cybersecurity programs. Companies should consult legal counsel in relation to definitions and classifications of “Class A Companies” and other related language that could impact them.
NYDFS has laid out specific dates that new requirements need to be implemented by (refer to timeline above). Penalties can be imposed for a single violation of the new regulations, so companies should be informed of the new dates for incorporating these changes. (5)
Financial institutions should consider planning for these changes immediately, prioritizing the reporting changes that go into effect December 1st of 2023. Other productive steps include performing a thorough review of the current gaps in compliance, and building a roadmap to ensure all new requirements are met by the defined deadlines. Certain requirements, like implementing a vulnerability management program, can take significant time and resources even when planned well.
Echelon Risk + Cyber can assist covered entities in enhancing their cybersecurity program to become compliant with the new amended Part 500 regulations and more related compliance frameworks.