What to Know About the Latest Amendments to NYDFS Cybersecurity Regulations

In November of 2023, the New York Department of Financial Services (NYDFS) announced amendments to Cybersecurity Regulation, 23 NYCRR Part 500. These cybersecurity-focused amendments increase regulatory expectations for entities subject to the new compliance requirements (i.e., Covered Entities) with staggered implementation dates through 2025.

What do these new requirements entail and, most importantly, how do they affect your organization?

In an effort to better protect consumer data and financial systems, these cybersecurity amendments from NYDFS address emerging cybersecurity threats, especially in the context of best practices that leverage zero-trust and identity and access management (IAM) strategies. To become compliant, organizations must have explicit security controls in place — or face consequences that include fines and penalties.

There are three categories of Covered Entities:

1.     Large (“Class A”) Companies

2.     Small (“Exempt”) Companies

3.     Non-Class A, Non-Exempt (“Standard”) Companies 

Incorporating a risk-based approach derived from best practices, the security controls outlined in this amendment include stringent requirements for Covered Entities to:

• File annual cybersecurity compliance forms (by April 15 of each year). Covered Entities must review data and documentation to determine their compliance with Part 500 for the prior year and submit written certification of compliance for the prior calendar year. If the organization did not meet the requirements, they must submit a written acknowledgment of noncompliance, identifying all sections with which they did not materially comply, along with a remediation timeline for compliance.
• Review and approve written cybersecurity policies (by April 29 of each year). Covered Entities must annually review and approve their written cybersecurity policies.
• Review and update risk assessment (by April 29 of each year). Covered Entities must review and update their cybersecurity risk assessments at least annually, and when there is a material change to cyber risk. For example, review and update your risk assessment if your business has a significant change, or you significantly change the hardware or software you use to run your business.
• Implement cybersecurity awareness training (by November 1 of each year). Covered Entities must provide all staff at least annual cybersecurity awareness training which includes training on social engineering.
• Review and manage user access privileges (by May 1 of each year beginning in 2025). Effective now, Covered Entities must limit and review access privileges for users (including third-party service providers) that have access to nonpublic information maintained on their information systems. Beginning May 1, 2025, Covered Entities must review the access privileges of all users who have access to their information systems annually and determine whether they still need access, limit the access to only what they need, and terminate access that is no longer necessary.
• Implement multifactor authentication (MFA). Implement MFA for remote access to your organization’s information systems, remote access to third-party applications from which nonpublic information (NPI) is accessible, as well as all privileged accounts by November 1, 2024.
• Maintain asset inventories. Develop and maintain up-to-date asset inventory of information systems beginning November 1, 2025.
• Third-party assessments. Perform third-party service provider assessments on the continued adequacy of their cybersecurity practices.
• Report cybersecurity events. Events such as material breaches or extortion payments must be reported to the NYDFS along with required information regarding them.
• Securely dispose of NPI. Organizations must securely dispose of NPI that is no longer needed.
• Encrypt NPI and track cybersecurity events. In order to protect data from unauthorized access while quickly detecting and responding to threats, organizations must encrypt NPI both in transit and at rest while maintaining systems that audit and track cybersecurity events.

The aim of these amendments is to establish greater cybersecurity accountability within financial services organizations, holding banks, insurers and other covered firms strictly accountable for protecting both in-transit and at-rest data.

These regulations also take into account the size and complexity of organizations. For larger organizations with more complex operational structures and access to more resources, the amendments mandate most of the comprehensive cybersecurity measures above without exception. These organizations are also required to appoint a chief information security officer (CISO) who must report annually to the governing body and provide updates on the state of the organization’s security program, as well as remediation plans for gaps and vulnerabilities within it.

Smaller organizations benefit from certain accommodations designed to reduce the regulatory burden while still maintaining strong cybersecurity standards. Small businesses with fewer than 10 employees or less than $5 million in gross annual revenue, for example, may qualify for exemptions from some requirements. However, even these businesses must still implement fundamental cybersecurity practices such as periodic risk assessments and establishing basic incident response protocols.

This tiered approach is designed to ensure that all organizations maintain adequate defenses against cyberthreats while recognizing the resource limitations of smaller companies. These requirements will be enforced “under any applicable laws” (like the New York Banking Law or New York Insurance Law) which contain individual civil and criminal penalties for intentionally making false statements to NYDFS. Non-compliant organizations may even face civil liability from regulators or consumers.  

To learn more about the impact of these requirements and strategies for implementation, be sure to join us for this upcoming discussion on the newest NYDFS Cybersecurity Regulations.

While the amendments to these NYDFS regulations apply explicitly to financial services businesses within New York, and larger organizations must follow more strict regulations, it’s important for all organizations outside of New York — and even outside the financial services industry — to take note.

For companies outside of New York (especially those in the financial services sector), these amendments are a clear indicator of emerging regulatory standards that may soon be adopted by other jurisdictions. Stringent requirements around more robust risk assessments, detailed incident response plans and increased accountability at the executive level may soon become the norm nationwide as regulators aim to better protect consumer data and financial systems from ever-evolving cyberthreats.

Likewise, any organization outside of New York looking to access capital anywhere within New York could be subject to these same standards. For organizations outside of New York — and even outside of the financial services sector — these amendments emphasize a trend towards more rigorous cybersecurity regulations that could influence broader regulatory landscapes.

For example, organizations looking to procure cyber liability insurance may be required to meet similar standards as part of the underwriting process. Reflecting the mounting sophistication and frequency of cyberthreats, these regulations can serve as a benchmark for best practices in cybersecurity, potentially preempting similar regulations in other industries.

By proactively aligning with these advanced standards, organizations of all sizes around the country can prepare for stricter regulations to take effect within their jurisdictions or industries. They can also gain a competitive edge in the market by positioning themselves as leaders in cybersecurity readiness.

Whether your organization is looking to become compliant with these specific regulations, prepare for regulations that may be coming to your industry or location, or simply improve your current security posture, the best place to begin is with a security risk assessment.

When assessing your current cybersecurity posture, understanding your organization’s specific cyber risks, policies and procedures as well as your responses to those risks is key. An effective risk assessment brings to light the most exposed and costly vulnerabilities within your environment, allowing your organization to better allocate resources and costs.

CDW’s Security Program Assessment and Risk Quantification (SPARQ), for example, combines risk management and program strategy with the goal of maturing and optimizing security programs while truly quantifying risk-based data from cyber insurance carriers. Security specialists assess your current security posture and determine which strategy will deliver the most substantial reduction in risk for the least cost. From there, quantified remediation prioritization recommendations and a tailored roadmap will supply your security leaders with the information they need to drive security maturity and justify business decisions.