NY DFS amends 23 NYCRR Part 500 to enhance cybersecurity obligations

Overview

On November 1, 2023, The New York State Department of Financial Services (DFS) published amendments to its cybersecurity regulation 23 NYCRR Part 500 (Part 500). The published amendments mark the first substantive revision to Part 500 since the regulation was originally enacted on March 1, 2017. Financial services companies required to comply with Part 500 include partnerships, corporations, branches, agencies and associations required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking, Insurance or Financial Services Law (covered entities). 

Key changes

As outlined in a DFS press release, the key changes to Part 500 include:

Enhanced governance requirements;

• The final rule continues the general supervisory trend of requiring boards of directors to take an increasingly active role in the oversight of a covered entity's operational compliance function. The regulation requires covered entities to report material cybersecurity issues to the organization's senior governing body, the board of directors or equivalent, that is responsible for the covered entity's cybersecurity program.
• In addition to exercising oversight over a covered entity's cyber risk management, the organization's senior governing body must regularly review the entity's cybersecurity program. The CISO must report in writing annually to the senior governing body.
• Written cybersecurity policies and procedures must be revised and approved annually by the senior governing body.
• The final rule subjects a category of entities that are characterized as "Class A companies" to annually obtain independent audits of their cybersecurity programs. Class A companies are covered entities that, in each of the previous two fiscal years, have: at least US$20m in gross annual revenue from all business operations, including those of its New York affiliates; and (1) over 2,000 employees; or (2) over US$1bn in gross annual revenue from all business operations of the entity and all affiliates. 

Additional controls to prevent initial unauthorized access to information systems and to prevent or mitigate the spread of an attack;

• Controls should be implemented to ensure that nonpublic information can only be accessed by employees who need such access in order to perform their jobs. Which employees need access to nonpublic information should be evaluated on an annual basis. Nonpublic information includes business-related data as well as information concerning identifying factors of individuals.
• Covered entities must implement written password policies that meet industry standards to the extent passwords are used for authentication.
• Multi-factor authorization must be used for individuals accessing a covered entity's information systems unless otherwise exempted. 
• Class A companies must implement an endpoint detection and response solution to monitor anomalous activity and a solution to centralize logging and security event alerting, unless written approval is obtained from the CISO confirming that an equivalent is being used. Class A companies, specifically, must implement a privileged access management solution and an automated method of blocking commonly used passwords. Privileged access relates to authorized users that can perform security-related functions.

Requirements for more regular risk and vulnerability assessments, as well as more robust incident response, business continuity and disaster recovery planning;

• At a minimum, covered entities must annually conduct:
  • Penetration testing of the covered entity's information system simulating attacks from both inside and outside the information systems' boundaries; and
  • Automated scans of information systems as well as a manual review of any systems that cannot be tested by scans. 
• Additionally, covered entities must:
  • Implement written policies and procedures governing how to maintain an information system asset inventory. Tracking of assets must include the owner, location, classification, support expiration date, recovery time objectives and the frequency of when the inventory must be updated. 
  • Create a written incident response plan that outlines responsive measures to be taken should a cybersecurity event occur.
  • Develop a business continuity and disaster recovery plan (BCDR) that ensures the availability and functionality of the covered entity's information systems and sufficient services to protect personnel, assets and nonpublic information in the event of a cybersecurity-related disruption.

Updated notification requirements, including a requirement to report ransomware payments; and

• In the event a covered entity makes an extortion payment, it must notify the DFS within 24 hours of the payment, and within 30 days of the payment, provide a written description detailing why the payment was necessary, what it was, the extent to which diligence was conducted to find alternatives and the extent to which diligence was done to ensure compliance with OFAC rules and regulations.
• Covered entities must annually submit a written certification confirming compliance with Part 500 that can be supported by data and documentation to demonstrate such compliance. If it has not complied with Part 500, a covered entity must submit a written explanation outlining why and how it did not materially comply, which includes a remediation timeline. A written certification or acknowledgment must be submitted electronically annually by April 15^th. 

Updated direction for companies to invest in annual training and cybersecurity awareness programs that anticipate social engineering attacks relevant to their business model and personnel.

• Covered entities must provide at least annual cybersecurity training that includes information on social engineering for all personnel.
• All employees that are responsible for implementing cybersecurity plans must have relevant training.

Potential penalties

A covered entity can be penalized for failing to satisfy the requirements of Part 500, for such reasons as: (1) failing to prevent unauthorized access to nonpublic information due to noncompliance with Part 500; or, (2) failure to comply materially for 24-hours with Part 500, such as by failing to file accurate and timely certifications. When considering the imposition of , DFS will consider a variety of factors, including the good faith of the entity, history of prior violations, the extent of harm and the gravity of the violations.   

Compliance dates

The new regulation takes effect in phases. Covered entities have until April 29, 2024 to come into compliance with Part 500. Reporting requirements take effect on December 1, 2023. 

More detailed information concerning implementation timelines for financial services companies, small business and Class A businesses can be obtained from DFS.  

Practical considerations

The new rule is more specific as to requirements relating to cyber incidents, which is likely to be an area that many institutions will have to address. Once procedures are updated, employees will have to be trained on those procedures, particularly with respect to the handling of nonpublic information, and specific steps to be taken in the event of a potential incident. Consideration should be given to running teams through refined table-top exercises around crisis events that include notification to DFS and other agencies. 

Covered entities should determine if they are a Class A company, and if so, initiate steps to comply with those specific requirements.