Next Part of New York’s Cybersecurity Regulation Takes Effect

Read Time: 5 minutes

On November 1, 2023, the New York Department of Financial Services (“NYDFS”) strengthened its Cybersecurity Regulation through an amendment to the Cybersecurity Regulation at 23 NYCRR Part 500 (commonly referred to as “Part 500”). The amendment imposed additional requirements for covered entities to implement specific controls related to technical safeguards and governance procedures. The most recent set of requirements went into effect on November 1, 2024 and impose heightened obligations upon Class A and standard companies as well as small businesses with partial exemptions.

Part 500 was enacted by the NYDFS on March 1, 2017 and established cybersecurity requirements for financial services companies operating under certain licenses in New York. On November 1, 2023, NYDFS adopted the long-awaited amendment to reflect emerging changes in the cybersecurity landscape. The amended regulation’s new compliance requirements were set out to take effect over a two-year period. The most recent set of requirements went into effect on November 1, 2024 and are highlighted below, as applicable to Class A and standard companies in addition to small businesses with partial exemptions.

Requirements for Class A and Standard Companies

As of November 1, 2024, Class A and standard companies are subject to new requirements relating to cybersecurity governance, encryption of nonpublic information, and incident response and business continuity management under Part 500. Although Part 500 generally imposes different requirements for Class A and standard companies, the latest set of regulations apply uniformly to Class A and standard companies while reserving some exemptions for companies that qualify as small businesses under Section 500.19, as explained below.

Cybersecurity Governance

Section 500.4 of Part 500 requires Chief Information Security Officers (“CISOs”) to draft reports detailing the adequacy of the company’s cybersecurity posture in consideration of the relevant policies and procedures in place, the effectiveness of the company’s program, and plans for remediating material inadequacies in such program. These reports must be completed and shared annually with the company’s management bodies, such as its board of directors or senior officers. In addition, CISOs must report any material cybersecurity issues (e.g., significant cybersecurity events or program changes) to the senior governing body or senior officers in a timely manner. Last, Section 500.4 implemented requirements regarding senior governing body oversight. Importantly, the governing body is expressly tasked with (1) sufficiently understanding cybersecurity-related matters in order to be able to exercise oversight; and (2) regularly receiving and reviewing management reports about cybersecurity matters.

Encryption of Nonpublic Information (“NPI”)

Section 500.15 requires covered entities to implement a written policy that includes encryption that meets industry standards. In effect, this requirement is intended to phase out the deployment of alternative methods of safeguarding information in transit over external networks, otherwise known as “compensating controls.” Covered entities may still use compensating controls to the extent that encryption of information in storage or “at rest” is infeasible, as determined by the company’s CISO in light the company’s comprehensive cybersecurity structure. The CISO is further required to review the feasibility of encryption and effectiveness of any compensating controls on an annual basis.

Incident Response and Business Continuity Management

Incident Response plans continue to be required under Section 500.16, but they must be updated as specified by Part 500 and must be tested at least annually. Additionally, Business Continuity and Disaster Recovery plans that are reasonably designed to address cybersecurity-related disruptions and ensure business continuity must be in place. With regard to these plans, covered entities must train all employees involved in the implementation and such plans must be tested with critical staff and revised as necessary. Lastly, entities must test the ability to restore critical data and systems from backups, ensuring that secondary information systems are protected and sufficient to restore operations in the event of a disruption.

Requirements for Small Businesses with Partial Exemptions

Small businesses with partial exemptions also have new requirements as of November 1, 2024. Covered entities that qualify as small businesses for these purposes are those that employ fewer than 20 individuals (inclusive of both employees and independent contractors) and satisfy one or both of the following criteria: (i) the company has generated less than $7.5 million in gross revenue from all business operation’s, including affiliates, in each of the three previous years; or (ii) the company, inclusive of any affiliates, holds less than $15 million in year-end total assets.

The only businesses that are exempt from the following requirements are those that qualify for full exemptions or those that otherwise qualify for partial exemptions under 500.19(c) or 500.19(d).

Multi-Factor Authentication

Small businesses with partial exemptions that have not already done so must now implement the multifactor authentication requirements outlined in Section 500.12(a). This includes implementing multi-factor authentication for any remote access to their information systems, remote access to third-party applications where NPI is accessible, and to privileged accounts.

Cybersecurity Training

Additionally, Section 500.14(a)(3) now requires entities to provide all personnel at its business with cybersecurity awareness training at least annually. The training must cover social engineering methods, such as phishing and businesses email compromises, as well as techniques enhanced by AI, such as deepfakes.

Koley Jessen will continue to monitor developments related to Part 500 and advise as updates become available. If you have questions regarding Part 500 compliance, or whether it applies to your business, please contact one of the specialists in our Data Privacy and Security Practice Area.

Special thanks to summer associate Ellie Johnson for her contributions to this article.

This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Professionals

Related Services

Explore Our

Newsroom


Learn about the latest legal news, firm announcements, and upcoming events on the topics important to you and your business.

Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.