The New York State Department of Financial Services (NYDFS) has published proposed amendments to its Cybersecurity Requirements for Financial Services Companies (amendments). The amendments to the agency’s cybersecurity regulations, 23 NYCRR § 500 (Part 500), would subject all covered entities — including banks, insurance companies and other financial institutions regulated by DFS — to a number of new cybersecurity requirements, including a 24-hour notification requirement for ransomware payments, annual penetration testing and risk assessments, enhanced cybersecurity policies and security measures, and new governance and board oversight requirements. They would impose additional requirements on a new category of Class A companies — the largest financial services companies — including requirements that they conduct independent audits of their cybersecurity programs at least annually, monitor privileged access activity and use external experts to conduct a risk assessment at least once every three years.
Part 500 first took effect in August 2017. Currently, the rules require banks, insurance companies and other institutions regulated by NYDFS to have a cybersecurity program designed to protect consumers’ private data, written policies approved by the board or a senior officer, a chief information security officer (CISO) to help protect data and systems, and other controls and plans in place. Covered entities must also report cybersecurity events through the NYDFS online cybersecurity portal.
In June 2021, NYDFS stated that it was considering revising Part 500 to address the evolution in cyber risk, citing an “evolving and more dangerous threat landscape” compared to when it first adopted the regulations. In particular, the agency noted that from January 2020 through May 2021, NYDFS-regulated companies reported 74 ransomware attacks, some of which caused crippling dayslong shutdowns.
In July 2022, NYDFS released pre-proposed amendments to Part 500 and solicited feedback from other regulators, industry groups and regulated entities.
On Nov. 9, NYDFS officially announced its proposed amendments to Part 500. NYDFS made a number of changes in response to feedback it received to the pre-proposed amendments over the past several months. Most notably, it limited Class A companies to only those that have had at least $20 million in gross annual revenue in each of the past two fiscal years from business operations in New York, and softened some of the technical requirements for those companies. Additionally, it added a requirement that a covered entity report a cybersecurity event at a third-party service provider that affects the entity.
In its announcement, NYDFS stated that the amendments are designed to combat increasingly sophisticated technologies and threats. “With cyber-attacks on the rise, it is critical that our regulation keeps pace with new threats and technology purpose-built to steal data or inflict harm,” NYDFS Superintendent Adrienne A. Harris said in a press release. “Cyber criminals go after all types of companies, big and small, across industries, which is why all of our regulated entities must comply with these standards — whether a bank, virtual currency company, or a health insurance company.”
The definition of “covered entity” would remain generally the same under the proposed amendments to Part 500, covering banks, insurance companies and other financial institutions regulated by DFS, although the amendments would add the italicized language to the definition:
“any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the [New York] Banking law, the [New York] Insurance Law, or the [New York] Financial Services Law, regardless of whether the covered entity is also regulated by other government agencies.”
This addition clarifies that covered entities would not be exempt from the regulation simply because they are also regulated by other government agencies. This is a departure from other U.S. privacy laws, which often exempt entities covered by sector-specific cybersecurity regulations.
Part 500 already requires covered entities to report some cybersecurity events through the NYDFS online cybersecurity portal within 72 hours. The amendments add three types of cybersecurity events that would need to be reported to NYDFS in this time frame:
The amendments would also require covered entities to provide NYDFS any information requested regarding the investigation of the cybersecurity event within 90 days of the notice, and to continually update and supplement the information provided.
In addition, a covered entity that makes a ransomware payment would need to notify NYDFS of the payment within 24 hours of making it. Further, within 30 days, it would need to provide a written description of the reasons a payment was necessary, a description of alternatives to payment considered, all diligence performed to find alternatives to payment, and all diligence performed to ensure compliance with applicable rules and regulations.
The amendments specify that a covered entity’s annual certification of compliance to NYDFS under Part 500 would need to be signed by its highest-ranking executive and its CISO (or if it has no CISO, the senior officer responsible for its cybersecurity program). Until now, covered entities could submit this annual certification from their highest governing bodies or other senior officers.
The amendments would also require that covered entities base the annual certification on data and documentation sufficient to accurately determine and demonstrate full compliance.
Further, the amendments would create a new option for covered entities that did not fully comply with the cybersecurity regulations to provide written acknowledgment of noncompliance, in which they would describe the nature and extent of noncompliance; identify areas, systems and processes that require material improvement, updating or redesign; and provide remedial plans and a timeline for their implementation.
The amendments would also make changes to the required penetration testing and risk assessments that covered entities are already required to conduct under Part 500.
Under the amendments, covered entities would also need to implement new, enhanced cybersecurity controls and policies.
The amendments would create new governance and oversight requirements related to cybersecurity for a covered entity’s “senior governing body,” which is its board of directors (or an appropriate committee), or equivalent governing body, or if those do not exist, the senior officer responsible for its cybersecurity program.
The amendments would create a new classification of Class A companies, which are defined as covered entities with at least $20 million in gross annual revenue in each of the past two fiscal years from business operations of the covered entity and its affiliates in New York, and with either of the following:
In addition to the new obligations described above, Class A companies would need to comply with several additional requirements under the amendments:
Under Part 500, some small companies are exempt from certain provisions of the regulations, including the sections on governance, monitoring and training, and incident response plans.
The amendments would expand the number of companies that qualify for these exemptions. Whereas covered entities with fewer than 10 employees are currently exempt, the amendments would raise that number to 20 employees. Further, covered entities with less than $10 million in year-end total assets are currently exempt, but the amendments would raise that number to $15 million.
NYDFS published the amendments to the State Register on Nov. 9, commencing a 60-day comment period that will end on Jan. 9, 2023, at which point the amendments will be further revised or finalized.
If adopted, covered entities would have 180 days from the effective date of the amendments to comply with them, with some exceptions, including that covered entities would only have 30 days to comply with the new requirements related to notification of cybersecurity events and ransomware payments, and annual certification of compliance or acknowledgment of noncompliance. Covered entities would also have 18 months to comply with the new requirements for performing automated vulnerability scans and other technical control requirements.
Under the amendments, covered entities will violate the regulations if they commit a prohibited act; fail to comply with any section for a 24-hour period; or fail to secure, or prevent unauthorized access to, nonpublic information due to noncompliance with the regulations. In assessing a penalty for a violation, NYDFS will consider factors including the extent the covered entity cooperated with the investigation, the covered entity’s good faith, its history of prior violations, and the gravity of the violations and extent of harm to consumers.
The amendments may increase costs for some financial services companies that need to adopt additional cybersecurity measures. At the same time, there will be more NYDFS-regulated entities that qualify for a limited exemption based on their relatively smaller size. Companies that determine they qualify for a limited exemption would still need to file a Notice of Exemption form on the NYDFS website within 30 days of that determination.
 NYDFS, Proposed Second Amendment to 23 NYCRR § 500 (proposed Nov. 9, 2022).
 See Kramer Levin’s client alert on the original Part 500.
 NYDFS, Industry Letter Re: Ransomware Guidance (June 30, 2021).
 Press Release, NYDFS Superintendent Adrienne A. Harris Announces Updated Cybersecurity Regulation (Nov. 9, 2022).
[View source.]See more »
DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Kramer Levin Naftalis & Frankel LLP | Attorney Advertising
Refine your interests »
Back to Top
Explore 2022 Readers’ Choice Awards
Copyright © JD Supra, LLC