United States: Client Alert: New York Issues Significant Amendments To Its Forward-Leaning Cyber Regulations

Key Changes to NYDFS Part 500

NYDFS's updated Part 500 Cybersecurity Regulation, effective November 1, 2023, aims to address the evolving and expanding cybersecurity threat landscape for holders of sensitive data.¹ The revisions both clarify existing requirements and add new obligations for entities under NYDFS's regulatory umbrella. Some of the key provisions in the amendment include:

• Creating a new category of "Class A" companies for covered entities with at least $20 million in gross annual revenue in each of the last two fiscal years from business operations and with either (a) over 2,000 employees, or (b) over $1 billion in gross annual revenue.² "Class A" companies will be required to conduct annual independent audits and implement programs to monitor privileged access activity along with endpoint detection and logging as part of their cybersecurity programs.³
• Creating a new definition for "senior governing body" as the board of directors or the senior officer or officers of the covered entity responsible for the covered entity's cybersecurity program, who will be required to exercise effective oversight over the covered entity's cybersecurity risk management.⁴
• Requiring cybersecurity policies and procedures focused on end-of-life management, remote access, asset inventory, and vulnerability and patch management, which, in addition to the other policies required under Part 500.3, must be reviewed and approved by the entity's senior officers at least annually.⁵
• Unique to the Part 500 framework, the covered entity's senior governing body will now have a scienter requirement to have "sufficient understanding of cybersecurity-related matters." In addition to receiving regular cybersecurity updates, the governing body must also "confirm[] that the covered entity's management has allocated sufficient resources" to the cybersecurity program.⁶
• Covered entities will now have to annually conduct penetration testing, annual (rather than the previously detailed "periodic") cadence of risk assessments, and automated scans of information systems to identify, analyze, report, and remediate vulnerabilities.⁷
• Covered entities will now be required to employ a written password policy when passwords are used for authentication, a more robust policy on privileged access accounts, and use of multi-factor authentication "for any individual accessing any information systems of a covered entity" except for limited circumstances.⁸
• Covered entities will now be required to implement robust policies and procedures for information system asset management.⁹
• Covered entities will now need to establish, implement, and train employees on, and annually test, incident response, business continuity, and disaster recovery plans.¹⁰
• Covered entities are still required to certify Part 500 compliance by April 15 of each year but will now also have the option to file an "acknowledgment" when the company is unable to certify to full compliance.¹¹
• StartingDecember 1, 2023, covered entities will now be required to report cyber incidents to the NYDFS Superintendent via an electronic form on the department's website within 72 hours of determining a cyber incident occurred at the entity itself, its affiliates, or at a third-party service provider.¹² Covered entities will also now be required to notify NYDFS of a Ransomware "extortion payment" within 24 hours of the payment, with a written description of the reason payment was necessary within 30 days thereafter.¹³

For most of the new regulatory requirements, regulated entities are required to come into compliance by April 29, 2024. More onerous sections of the new regulations (such as implementing data mapping, an incident response plan and business continuity plan, and getting executive boards up to speed) have longer transitional periods spanning one year, 18 months, and two years from November 1, 2023.¹⁴ For more information, NYDFS will be hosting a series of webinars on November 15, 2023, November 30, 2023, and December 7, 2023, to train regulated entities on these new requirements. Registration is available on the Department's website.

Conclusion

NYDFS regulated financial institutions should be keenly aware of how these changes to Part 500 impact their cybersecurity program. This is especially true given the looming April certification (or "acknowledgment") date incorporating some of these new requirements, and the fact that NYDFS is authorized to bring enforcement actions and impose penalties for asingleviolation of the new regulations.¹⁵ Jenner & Block stands ready to assist covered entities with enhancing their cybersecurity program to bring it into compliance with the amended Part 500 regulations.

b>Footnotes