New York State Department of Financial Services Amends Cybersecurity Regulation 23 NYCRR Part 500
Atlanta, Ga. (November 10, 2023) - On November 1, 2023, the New York State Department of Financial Services adopted amendments to its Cybersecurity Regulations to incorporate current best practices to better protect business and consumers from emerging cyber threats. The amendments also incorporate additional requirements for businesses related to protections against cyber threats.
The amendments define a new class of companies that are regulated by the Department based on gross revenue and number of employees. The amendments impose higher level requirements for cybersecurity policies, procedures, and incident response plans for these companies, including implementing certain cybersecurity measures such as network monitoring, an end point detection and response tool, and centralized logging and alerting.
The regulations also impose new requirements on the governing body for all businesses covered by the regulations. These governing bodies are tasked with oversight of cybersecurity risk management and ensuring that the business has allocated sufficient resources to implement and maintain an effective cybersecurity program.
In addition, all businesses covered by the regulations must implement additional cybersecurity measures, including multi-factor authentication, asset management, web and email filters, and cybersecurity training against social engineering attacks.
Businesses covered by the regulations are also required to update their incident response plans, and if not already in place, they must develop a Business Continuity and Disaster Recovery Plan (BCDR). The BCDR must include procedures for implementing offsite backups, among other things.
Perhaps the most significant changes to the regulations pertain to reporting requirements. A business covered by the regulations is now required to file a certificate of regulatory compliance annually by April 15. If a business is not in compliance, the filing must include an acknowledgement of non-compliance, and a plan and timeline for remediation. Businesses are also now required to report any extortion payments within 30 days of making the payment.
The new compliance requirements will take effect in phases. Covered entities have until 4/29/2024 to come into compliance. Changes to reporting requirements take effect on 12/1/2023. Certain other requirements become effective in 12-18 months.
For more information, contact the authors or editors of this alert or visit our Data Privacy & Cybersecurity Practice page.
Author:
Tawana Johnson, Partner and Vice Chair of Data Privacy & Cybersecurity Practice
Editors:
Robert F. Walker, Partner and Chair of Data Privacy & Cybersecurity Practice
Ross Molina, Partner and Vice Chair of Data Privacy & Cybersecurity Practice
Related Practices
Related Attorneys
Partners
-
-
-
404.476.2089
Latest News
- May 10, 2024 Rafael Zahralddin Interviewed by Law360 on Credit Bidding in Bankruptcy Asset Sales
- May 08, 2024 Josh Cole Aicklen Receives 2023 NBI Outstanding Faculty Award
- May 07, 2024 Steven Lee Speaks With Law360 On Binance Founder’s Prison Sentence
Seminars & Webinars
- May 16, 2024 • General Webinar Series Workers’ Compensation: Recent Trends
- May 28, 2024 • Labor & Employment Webinar Series Georgia, Florida & North Carolina Employment Law Trends
- June 12, 2024 • Data Privacy & Cybersecurity Webinar Series Minimizing the Impact of a Cyber Event