The New York State Department of Financial Services (“NYDFS”), which regulates financial services institutions including banks, insurance companies, and mortgage brokers, finalized an amendment to its Cybersecurity Regulation on November 1. The amendment, which is the first since adoption of the original Cybersecurity Regulation in 2017, concludes a rulemaking process that began with an initial proposed rule issued in July 2022.

This post summarizes several key developments for financial institutions subject to NYDFS’s authority. Unless otherwise noted below, the general compliance deadline is April 29, 2024.

New Requirements for Cyber Extortion Payments

In a change designed to address the increased prevalence of costly cyberattacks, including those arising from ransomware according to NYDFS, all covered entities will now be required to notify NYDFS within 24 hours of making any “extortion payment” made in connection with a cybersecurity event involving the covered entity electronically via its website form. “Extortion payment” is not defined, but would presumably include ransomware payments.

Additionally, within 30 days the covered entity must also provide a written description of all reasons payment was necessary, a description of alternatives considered and diligence associated with that consideration, and diligence performed to ensure compliance with OFAC and other applicable rules and regulations.

These amendments took effect on December 1, 2023.

Creation of New Category of “Class A Companies” Subject to Heightened Requirements

The amendment subjects larger entities that qualify as “Class A Companies” to additional requirements as compared to other covered entities.  To that end,  a covered entity qualifies as a Class A Company if it:

1. Has at least $20,000,000 in gross annual revenue in each of the two prior years from all business operations of the covered entity and business operations in New York of the covered entity’s affiliates that share information systems, cybersecurity resources, or any part of a cybersecurity program with the covered entity; and
2. Has, in combination with its affiliates that share information systems, cybersecurity resources, or any part of a cybersecurity program with the covered entity, either:
   1. More than 2,000 employees averaged over the last two fiscal years; or
   2. More than $1 billion in annual gross revenue in each of the last two fiscal years.

These “Class A Companies” will, in addition to complying with the requirements that apply to other covered entities, be required to:

1. Design and conduct an independent cybersecurity program audit based on risk assessments;
2. Monitor privileged access activity and implement privileged access management solutions;
3. Implement an automated method of blocking “commonly used passwords” on (i) all accounts the class A company owns or controls and (ii) “wherever feasible for all other accounts,” or document “in writing at least annually the infeasibility and the use of reasonably equivalent or more secure compensating controls;” and
4. Implement an endpoint detection and response solution to monitor anomalous activity, including lateral movement and a centralized logging and security event alert solution, unless the CISO approves the use of equivalent or stronger compensating controls in writing.

These amendments take effect on May 1, 2025.

Revised Incident Reporting Requirements

The amendment also imposes stricter incident reporting requirements that will have the effect of:

• Expressly requiring notice to NYDFS of a cybersecurity event that “results in the deployment of ransomware within a material part of the covered entity’s information systems,” in addition to the currently required notification of cybersecurity events (i) of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body or (ii) that has a reasonable likelihood of materially harming any material part of the covered entity’s normal operations;
• Clarifying that notice must be delivered electronically via NYDFS’s website form;
• Requiring notice of cybersecurity incidents that occur at third-party service providers in addition to the covered entity or its affiliates; and
• Creating obligations to provide NYDFS information requested regarding such incidents and updating NYDFS with material changes or new information.

These amendments took effect on December 1, 2023.

Revised Compliance Certification Requirements

As amended, the Regulation will now require the CISO and the covered entity’s highest ranking executive to sign the covered entity’s annual compliance certification. Certification, however, is now qualified to only address “material” compliance with the Cybersecurity Regulation. If a covered entity cannot certify to material compliance, the amendment will require covered entities to submit a written acknowledgement of noncompliance describing the noncompliance and a timeline for complying.

These amendments took effect on December 1, 2023.

Updates to Governance Requirements

The amendment implements updates to the Regulation’s cybersecurity governance requirements that expand the content of the required annual board report on cybersecurity to include plans for “remediating material inadequacies” with respect to the covered entity’s cybersecurity program. The CISO will also now be required to make timely reports to the covered entity’s senior governing body or officers on material cybersecurity issues, which expressly include “significant cybersecurity events and significant changes to the covered entity’s cybersecurity program.”

The amendment also creates a new requirement for a senior governing body to exercise oversight of cybersecurity risk management. The amendment provides such oversight include developing sufficient understanding of cybersecurity matters to exercise oversight, requiring development, implementation, and maintenance of a cybersecurity program, regularly receiving and reviewing management reports on cybersecurity matters, and confirming management allocates sufficient resources to implement and maintain a cybersecurity program effectively. The senior governing body or a senior officer must also approve the covered entity’s cybersecurity policy at least annually.

These amendments take effect on November 1, 2024.

New and Revised Security Requirements

The amendment also creates various new or revised security requirements.

• Vulnerability Management. The amendment omits a previous requirement for continuous monitoring, but further requires covered entities to develop and implement written vulnerability management policies and procedures designed to assess and maintain the effectiveness of the cybersecurity program. The policies must ensure that covered entities perform (i) annual penetration testing of information systems from inside and outside the system’s boundaries and (ii) automated vulnerability scans of information systems and manual review of other systems at a frequency determined by the covered entity’s risk assessment and after material changes to its systems. Additionally, covered entities must implement processes to identify and remediate new security vulnerabilities.
• Access Privileges. The amendment requires that a covered entity must (i) limit nonpublic information access privileges to only those necessary to perform the user’s job, (ii) limit privileged accounts and the access functions of those accounts to only those necessary to perform the user’s job, (iii) limit privileged account use to performing functions requiring that access, (iv) annually review user access privileges and disable unnecessary accounts or access, (v) disable or securely configure protocols that permit remote device control, and (vi) promptly terminate access after departures. Covered entities that use passwords for authentication must also “implement a written password policy that meets industry standards.” “Industry standards” is undefined.
• Application Security. CISOs must review application security procedures, guidelines, and standards at least once per year.
• Risk Assessment. Covered entities must review and update their risk assessments at least annually and whenever business or technological changes materially change cyber risk.
• Multi-factor Authentication (“MFA”). Covered entities are required to implement MFA whenever an individual accesses the information systems of a covered entity, though the amendment retains an exception allowing the CISO to approve “reasonably equivalent or more secure compensating controls.” These amendments take effect on November 1, 2025.
• Asset Management and Data Retention. Covered entities must maintain a complete and accurate inventory of their information systems. These amendments take effect on November 1, 2025.
• Monitoring and Training. The cybersecurity program is required to implement risk-based controls to monitor, filter, and block malicious web traffic and emails and include annual awareness training, which must also cover social engineering.
• The amendment removes the CISO’s ability to approve compensating controls for encryption in transit over external networks. But the amendment retains an allowance for CISO-approved compensating controls for encryption at rest where such encryption is infeasible. These amendments take effect on November 1, 2024.
• Business Continuity Management. The amendment introduces a new requirement for business continuity and disaster recovery planning. It also specifies that such plans must protect against cybersecurity-related disruptions to business operations by imposing specified measures, such as identifying essential documents, data, and personnel, and including plans and procedures for managing a cybersecurity-related disruption. The plans must also be tested at least annually. These amendments take effect on November 1, 2024.
• Incident Response Plans. The amendment requires additional incident response plan content regarding root cause analyses and updates to the plan based on prior incident responses. These amendments take effect on November 1, 2024.
• Mandatory Policy Topics. The amendment expands mandatory cybersecurity topics to include data retention, end of life management, remote access controls, systems and network monitoring, security awareness and training, systems and application security, and vulnerability management.

Expanded Exemptions

The amendment will expand a limited exemption for small companies. The current exemption applies only to covered entities with fewer than 10 employees, less than $5 million in gross annual revenue in each of the last three fiscal years from business operations of the covered entity and its affiliates, and less than $10 million in year-end total assets.

The amendment will increase the thresholds to less than 20 employees, less than $7.5 million in gross annual revenue in each of the last three fiscal years from all business operations of the covered entity and the New York operations of its affiliates, and less than $15 million in year-end total assets.

These amendments take effect on November 1, 2024.

Additional Enforcement Provisions

Finally, the amendment updates the Regulation’s enforcement provisions.  In that regard, the amendment specifies that the “commission of a single act prohibited” by the Cybersecurity Regulation or the “failure to act to satisfy an obligation” from the Cybersecurity Regulation constitutes a violation. Examples of such violations include “the failure to secure or prevent unauthorized access to an individual’s or an entity’s nonpublic information due to noncompliance” and any “ material failure to comply for any 24-hour period.”

The amendment also enumerates various factors NYDFS must consider in assessing penalties for violations, including “the extent to which the relevant policies and procedures of the company are consistent with nationally recognized cybersecurity frameworks, such as NIST.”