On November 1, 2023, the New York Department of Financial Services (“NYDFS”) released the finalized amendments of Part 500 of its cybersecurity regulations. These revisions represent the most significant modifications since the enactment of the rules in March 2017. Noticeably, covered entities are now subject to new requirements imposing heightened responsibilities on Chief Information Security Officers (“CISOs”) and more specific and prescriptive requirements in relation to governance, risk assessments, and notifications to the NYDFS. Some requirements also apply specifically to larger covered entities falling under the “Class A companies” category.
The adoption of the new rules is the result of a year-long process starting with the publication on July 29, 2022, of a “pre-proposed” draft amendment which was revised on November 9, 2022 and June 28, 2023. The amended rules (“Amendment”) contain the provisions we had initially described in the original NYDFS proposal a year ago (see our blog post here), but include some notable changes. NYDFS included comments on the Amendment indicating in many cases that NYDFS did not see a reason to change its proposal, but did change the provisions in some areas nevertheless.
This final version will take effect over the next 2 years with gradual implementation of certain rules over such time. On December 1, 2023, the initial updates to existing reporting requirements will go into effect. Additional changes to required policies and procedures will not begin to take effect until April 2024 and rolling thereafter. Implementation timelines have been shared by NYDFS for each categories of organizations subject to the new rules, including covered entities, small businesses, and Class A companies.
The Amendment includes a new requirement to report to the superintendent of NYDFS when a ransomware event has been deployed in a material part of the covered entity’s information system (500.1(g)(3)). The covered entity should not wait to determine the impact of the cybersecurity incident and should consider that the successful deployment of a ransomware event constitutes a reportable event. This notice requirement explicitly applies to cybersecurity incidents occurring to the covered entity itself, its affiliates, or a third-party service provider.
Additionally, the covered entity must now notify NYDFS when an extortion payment has been made (500.17(c)) regardless of the impact of the underlying cybersecurity event. A notice of payment is due within 24 hours and must be supplemented within 30 days by a more detailed description of the reasons that led to the payment. This separate and more detailed notice must include a fuller description of why a payment was necessary, what alternatives were considered, and the diligence completed to ensure compliance with all legal requirements, including sanctions from the United States Treasury Department’s Office of Foreign Assets Control (“OFAC”). This new requirement is similar in nature to the federal ransom payment reporting requirement created by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) to the extent that the notice is due regardless of whether the ransom payment is made as a consequence of a covered cybersecurity incident. Under the Amendment, a ransom payment made “in connection with a cybersecurity event,” as defined broadly by 500.1(f), is sufficient to trigger this new notice requirement.
The Amendment also creates a new category of covered entities named “Class A companies” with unique requirements (500.1(d)). Under the Amendment, a Class A company is defined as a covered entity with over 2,000 employees, or with over $1,000,000,000 in gross annual revenue in each of the last two fiscal years. Class A companies are specifically required to:
– conduct independent audits of their cybersecurity program based on their risk assessment (500.2(c));
– monitor privileged access activity by implementing a privileged access management (“PAM”) solution, and automatically blocking commonly used passwords (500.7(c));
– implement an endpoint detection and response (“EDR”) solution, as well as a solution that centralizes logging and security event alerting such as a security information and event management (“SIEM”) solution (500.14(b)).
The Amendment also includes new governance requirements and responsibilities applicable to the CISO of all covered entities. In particular, the new rules provide that the CISO and the highest-ranking executive of the covered entities must file annually a notice of compliance with the NYDFS (500.17(b)(2)). This notice of compliance should take the form of a certification that the covered entity materially complied with all requirements of Part 500. Alternatively, the covered entity must file an acknowledgment that it did not materially comply with all requirements, identifying the areas of noncompliance, and providing a remediation timeline or a confirmation of that remediation has been completed.
Among the new governance requirements included in the rules, the CISO must now report to the senior governing body of the covered entity on material cybersecurity issues, including but not limited to significant cybersecurity events and significant changes to the cybersecurity program (500.4(c)). The new rules provide more details on how the senior governing body of the covered entity is expected to exercise oversight of its cybersecurity risk management. Under the Amendment, the senior governing body is expected to have “sufficient understanding of cybersecurity-related matters” and to confirm that the covered entity has “sufficient resources to implement and maintain an effective cybersecurity program” (500.4(d)). These enhanced governance requirements reinforce the central role played by the CISO and the importance for covered entities to allocate resources and expertise to their cybersecurity program.
The Amendment adds “and Business Continuity Management” to the incident response obligations within the title of Section 500.16. The Amendment includes a new requirement for business continuity and disaster recovery (“BCDR”) planning. It further states that BCDR plans must focus on protecting against cybersecurity-related disruptions to business operations by imposing specified measures, such as identifying essential documents, data, and personnel, and including plans and procedures for managing a cybersecurity-related disruption.
Incident response plans must now include (1) root cause analysis of the event, any business impact, and prevention measures; and (2) updates to the incident response plans as needed.
The Amendment requires that covered entities ensure that all necessary employees and management have access to the plans, provide relevant training to these employees, provide at least annual testing for the effectiveness of its incident response and BCDR plans, and maintain and protect necessary backups.
Finally, the new rules include several requirements for more regular risk and vulnerability assessments. Covered entities must now conduct a penetration test at least annually from both inside and outside of the covered entity’s information systems’ boundaries (500.5). The risk assessment mandated by the new rules must now be conducted at least annually and whenever the covered entity’s cyber risk materially changes (500.9). Covered entities shall also provide at least annual training and cybersecurity awareness programs that anticipate social engineering attacks (500.14).
Covered entities will need to demonstrate compliance within 180 days of the Part 500 update being published in the State Register, with the exception of the requirements listed in the table below:
|November 1, 2023 (Immediately)||500.19(e-h): Various exemptions; 500.20: Enforcement requirements; 500.21: Effective date; 500.22: Compliance timeline; and, 500.24: Filing requirements.|
|30 Days from Publication in State Register||500.17: Notification of cybersecurity incidents to NYDFS.|
|One Year from Publication in State Register||500.4: CISO and senior governing body requirements; 500.15: Encryption requirements; 500.16: Incident response plan requirements; and, 500.19(a): Exemptions based on employees and revenue.|
|18 Months from Publication in State Register||500.5(a)(2): Automated information systems scan requirements; 500.7: Privileged accounts requirements; 500.14(a)(2): Malicious code requirements; and, 500.15: Endpoint detection solution requirements.|
|Two Years from Publication in State Register||500.12: Multi-factor authentication requirements; and, 500.13(a): Asset inventory requirements.|
This amendment of NYDFS Part 500 represents a major evolution for covered entities now subject to more regular risk and vulnerability assessments as well as additional governance requirements. Covered entities should consider the following actions to comply with the Amendment:
1. Determine whether the covered entity is a “Class A Company” in order to comply with the new requirements.
2. Begin planning and budgeting for the implementation of the new requirements now, even though changes will take effect later in time.
3. Review the resources they allocate to confirm they have sufficient capabilities to implement and maintain an efficient cybersecurity program. Ensuring that their CISO has sufficient resources and their senior governing body has sufficient understanding of cybersecurity-related matters is a priority.
4. Review and update their cybersecurity policies and procedures to comply with the new rules as they take effect over the next 2 years.