On November 1, 2023, the New York Department of Financial Services (NYDFS) finalized the second amendment to its cybersecurity regulations, which are available here. The rules contain the provisions we had described in the original NYDFS proposal a year ago (see our blog post here), but include some changes. NYDFS included comments on the proposed regulation and its response, in many cases indicating the NYDFS did not see a reason to change its proposal, but did change the provisions in some areas, including cybersecurity incidents:
– Addition of a new term “cybersecurity incident.” NYDFS retained the broader term “cybersecurity event” that it uses in several sections of the regulation, but, with respect to notifications to NYDFS (§ 500.17(a)), this new term applies. The two definitions from Section 500.1 are:
(f) Cybersecurity event means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an information system or information stored on such information system.
(g) Cybersecurity incident means a cybersecurity event that has occurred at the covered entity, its affiliates, or a third-party service provider that:
(1) impacts the covered entity and requires the covered entity to notify any government body, self-regulatory agency or any other supervisory body;
(2) has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity; or
(3) results in the deployment of ransomware within a material part of the covered entity’s information systems.
– NYDFS responded to comments about the 72-hour notification requirement regarding those situations where a service provider has been subject to a cybersecurity incident and/or notification must be given to other government agencies. NYDFS stated:
The Department has revised the language of § 500.17(a) by replacing “from a determination” with “after determining” to clarify that it is the covered entity that is required to notify another governmental body, self-regulatory agency, or any other supervisory body for the notification requirements to apply, and the 72-hour reporting requirement when third-party service providers are involved is triggered when the covered entity makes its determination that reporting is required, making clear that the reporting requirement is tied to the covered entity having knowledge of a reportable event. The Department believes that providing notification to the Department when notice is already provided to another government body, self-regulatory agency, or other supervisory body would not create a substantial administrative burden.
[Comments, pages 28-29]
– NYDFS also clarified the requirement to provide updates to NYDFS regarding a cybersecurity incident, by limiting the reporting requirement in 500.17(a)(2) to “update the superintendent with material changes or new information previously unavailable.”
NYDFS made other changes to the regulation, including with respect to the annual certification obligation: “the Department agrees to add the word “material” before the word “compliance” in § 500.17(b)(1)(i)(b) to be consistent with the Department’s intent to allow covered entities to certify their compliance with Part 500 if they have materially complied with Part 500 during the prior calendar year.” [Comments, page 32]
Given the wide variety of changes that our original post outlined, NYDFS has proposed several compliance dates, all based off the effective date of the new regulation of November 1, 2023. Most changes will take effect in 180 days (500.22(c)), or Monday, April 29, 2024. There are several other compliance dates that include different transition periods (500.22(d) and 500.22(e)), where covered entities will have:
(1) 30 days from the effective date of the second amendment to this Part to comply with the new requirements specified in section 500.17 of this Part; [cybersecurity incident reporting]
(2) one year from the effective date of the second amendment to this Part to comply with the new requirements specified in sections 500.4, [CISO] 500.15, [encryption] 500.16 [written plans, including incident response plans] and 500.19(a) of this Part; [limited exemptions]
(3) 18 months from the effective date of the second amendment to this Part to comply with the new requirements specified in sections 500.5(a)(2) [automated scans], 500.7, [risk assessment] 500.14(a)(2) [risk-based controls] and 500.14(b) [endpoint detection for Class A companies] of this Part; and
(4) two years from the effective date of the second amendment to this Part to comply with the new requirements specified in sections 500.12 [MFA] and 500.13(a) [asset inventory] of this Part.
(e) The new requirements specified in sections 500.19(e)-(h),[exemptions] 500.20,[violations and penalties] 500.21, [effective date is November 1 2023] 500.22 [effective dates] and 500.24 [exemptions] of this Part shall become effective November 1, 2023.
We have added the bracketed descriptions of each section for the reader’s convenience.
Covered entities should begin planning and budgeting for the new requirements now, even for those requirements with longer effective dates, because they affect several aspects of the enterprise.