ARTICLE
17 April 2024

NYDFS Cybersecurity Regulation Deadlines Approaching On April 15 And April 29

KM
Katten Muchin Rosenman LLP

Contributor

Katten is a firm of first choice for clients seeking sophisticated, high-value legal services globally. Our nationally and internationally recognized practices include corporate, financial markets and funds, insolvency and restructuring, intellectual property, litigation, real estate, structured finance and securitization, transactional tax planning, private credit and private wealth.
On November 1, 2023, the New York State Department of Financial Services (NYDFS) amended its cybersecurity regulation, 23 NYCRR 500 (or Part 500). NYDFS has published guidance on the implementation...
United States Technology
To print this article, all you need is to be registered or login on Mondaq.com.

On November 1, 2023, the New York State Department of Financial Services (NYDFS) amended its cybersecurity regulation, 23 NYCRR 500 (or Part 500). NYDFS has published guidance on the implementation timeline for key compliance dates for the various categories of entities impacted (including Small Businesses, Class A Companies and Covered Entities). In addition, NYDFS has published training materials and FAQs regarding the new requirements.

As of December 1, 2023, Small Businesses, Class A Companies, and Covered Entities were required to report cyber incidents, including ransomware attacks, to NYDFS.

The next major deadline is April 15, 2024, for compliance with section 500.17(b) of amended Part 500. This requires all companies to submit a Certification of Material Compliance or Acknowledgment of Noncompliance to the NYDFS. NYDFS has provided in its FAQs that if a "Covered Entity cannot certify that it was in material compliance with the Cybersecurity Regulation for the prior calendar year, it must file a written Acknowledgment of Noncompliance which (1) acknowledges that the Covered Entity did not materially comply with all the requirements applicable to it; (2) identifies all sections of Part 500 that the Covered Entity has not materially complied with; (3) describes the nature and extent of such noncompliance; and (4) provides a remediation timeline or confirmation that remediation has been completed. 500.17(b)."

By April 29, 2024, Covered Entities and Class A Companies must comply with most of the provisions under amended Part 500 (e.g., 500.2(c); 500.3; 500.5(a)(1), (b), and (c); 500.9; and 500.14(a)(3)). This includes updating their internal risk assessments, which they must continue to do at least annually or whenever a change in operations or technology causes a material change to the business's cyber risk. In addition, they must comply with certain testing, monitoring, training and audit requirements.

Under the amended Part 500, material compliance does not require absolute compliance. However, it does require entities to take a risk-based approach to assess their compliance needs and conduct an overall gap analysis of their current cybersecurity programs to comply with the amendments under Part 500.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

ARTICLE
17 April 2024

NYDFS Cybersecurity Regulation Deadlines Approaching On April 15 And April 29

United States Technology

Contributor

Katten is a firm of first choice for clients seeking sophisticated, high-value legal services globally. Our nationally and internationally recognized practices include corporate, financial markets and funds, insolvency and restructuring, intellectual property, litigation, real estate, structured finance and securitization, transactional tax planning, private credit and private wealth.
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More