New York State Department of Financial Services Amends Cybersecurity Regulation 23 NYCRR Part 500

November 10, 2023

Atlanta, Ga. (November 10, 2023) - On November 1, 2023, the New York State Department of Financial Services adopted amendments to its Cybersecurity Regulations to incorporate current best practices to better protect business and consumers from emerging cyber threats. The amendments also incorporate additional requirements for businesses related to protections against cyber threats.

The amendments define a new class of companies that are regulated by the Department based on gross revenue and number of employees. The amendments impose higher level requirements for cybersecurity policies, procedures, and incident response plans for these companies, including implementing certain cybersecurity measures such as network monitoring, an end point detection and response tool, and centralized logging and alerting.

The regulations also impose new requirements on the governing body for all businesses covered by the regulations. These governing bodies are tasked with oversight of cybersecurity risk management and ensuring that the business has allocated sufficient resources to implement and maintain an effective cybersecurity program.

In addition, all businesses covered by the regulations must implement additional cybersecurity measures, including multi-factor authentication, asset management, web and email filters, and cybersecurity training against social engineering attacks.

Businesses covered by the regulations are also required to update their incident response plans, and if not already in place, they must develop a Business Continuity and Disaster Recovery Plan (BCDR). The BCDR must include procedures for implementing offsite backups, among other things.

Perhaps the most significant changes to the regulations pertain to reporting requirements. A business covered by the regulations is now required to file a certificate of regulatory compliance annually by April 15. If a business is not in compliance, the filing must include an acknowledgement of non-compliance, and a plan and timeline for remediation. Businesses are also now required to report any extortion payments within 30 days of making the payment.

The new compliance requirements will take effect in phases. Covered entities have until 4/29/2024 to come into compliance. Changes to reporting requirements take effect on 12/1/2023. Certain other requirements become effective in 12-18 months.

For more information, contact the authors or editors of this alert or visit our Data Privacy & Cybersecurity Practice page.

Author: 

Tawana Johnson, Partner and Vice Chair of Data Privacy & Cybersecurity Practice

Editors:

Robert F. Walker, Partner and Chair of Data Privacy & Cybersecurity Practice

Ross Molina, Partner and Vice Chair of Data Privacy & Cybersecurity Practice