On November 1, 2023, the New York Department of Financial Services (NYDFS) issued the finalized revisions to the NYDFS Cybersecurity Regulations, which represent the Second Amendment to 23 NYCRR Part 500. Viewed as the most significant modifications to Part 500 since the regulations were first enacted in 2017, they establish new requirements for NYDFS-regulated covered entities. Part 500 defines covered entities as “any person operating under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or Financial Services Law, regardless of whether the covered entity is also regulated by other government agencies.” It is important for these covered entities to understand the amended regulations and to take the appropriate measures to ensure their compliance. The NYDFS has already indicated that certain changes will require many entities to make substantial enhancements (and related investments) to their current cybersecurity measures. Additionally, it has forewarned that there will be an increase in its investigation and enforcement actions related to its amended cybersecurity regulations which some believe will be adopted by other federal and state agencies.
Steps to Take
Covered entities should start by reviewing their current cybersecurity initiatives to assess system weaknesses. Penetration testing and vulnerability assessments should be performed by an experienced third party cybersecurity firm or a qualified internal information technology (IT) staff member, rather than a managed service provider. They should then take the necessary measures to mitigate any vulnerabilities and to leverage any new technologies that support the highest level of cybersecurity. Finally, a review and understanding of all the new components in the Second Amendment to Part 500 should be noted and shared with all officers of the company, members of the IT staff and any outside vendors performing maintenance or other services to the organization’s IT systems.
Second Amendment Requirements
Below is a breakdown of the new requirements under then NYDFS Cybersecurity Regulations Second Amendment:
- Creation of a new class of covered entities called “Class A Companies,” which will have additional requirements to meet. Class A Companies consist of covered entities with a minimum of $20,000,000 in gross annual revenues from its business operations and that of its New York based affiliates in each of the last two fiscal years, as well as 2,000 employees (for both the covered entity and its affiliates regardless of their location) averaged over the last two fiscal years, or over $1,000,000,000 in gross annual revenues in each of the last two fiscal years from all business operations of the covered entity and all of its affiliates. The regulation specifies that “when calculating the number of employees and gross annual revenues, affiliates shall include only those that share information systems, cybersecurity resources or all or any part of a cybersecurity program with the covered entity.” The requirements for Class A Companies include independent audits (500.2 (c)), privileged access monitoring (500.7 (c)), and endpoint detection and response solution which includes centralized logging and security event alerting (500.14 (b)).
Other features, under the amendments that apply to all covered entities, the details of which can be found in the NYDFS finalized Second Amendment to its Cybersecurity Regulations, include:
- Cybersecurity policy (500.3) which requires an annual review of the cybersecurity policy by a senior officer of the covered entity or its senior governing body and includes new areas to cover in the policy such as data retention, end of life management, remote access, monitoring of systems and network security, vulnerability management, and cybersecurity awareness training and incident notification.
- Senior governing body (i.e., board or equivalent senior officer(s)(500.4 (d)) is required to provide oversight of the cybersecurity program and related matters (e.g., the development, implementation, and maintenance of the program).
- Vulnerability management (500.5)
- Access and privilege management (500.7)
- Password policy (500.7)
- Application security (500.8)
- Risk assessment (500.9)
- Multi-factor authentication (MFA) (500.12)
- Notice of cybersecurity incidents and extortion payments (500.17 (a) and 500.17 (c))
- Certification (500.17 (b))
- Enforcement (500.20)
- Asset management and data retention (500.13 (a))
- Monitoring (500.14 (b))
- Training (500.14 (a)(3))
- Encryption (500.15)
- Incident response and business continuity and disaster recovery (500.16)
Compliance Dates
While the deadline for some of the requirements under NYDFS’ Second Amendment to its Cybersecurity Regulations have already been in effect since the first deadline of December 1 2023 (i.e., requirements under 500.17 (a)) requiring notice of cybersecurity events and ransomware to authorities), April 15, 2024 represents the next deadline for compliance with requirements under 500.17 (b) which requires covered entities to submit a Certification of Material Compliance or Acknowledgement of Noncompliance for year 2023; which will now require written certification from both the CISO and by “the covered entity’s highest-ranking executive”. To ensure a complete understanding of the new cybersecurity requirements for covered entities, the NYDFS is holding free training webinars and additional programs for insurance producers. For more information, visit: https://www.dfs.ny.gov/
