New York recently announced amendments to the State Department of Financial Services’ cybersecurity regulations. The changes further solidify the state’s already comprehensive cybersecurity regulatory regime. The amendments were both announced by Gov. Hochul and became effective on November 1, 2023. They apply to DFS regulated entities and aim to strengthen provisions around cyber governance, risk mitigation, incident notification, and training.

New obligations under the amendments include:

• Senior leadership is now explicitly required to exercise oversight of an entity’s cybersecurity risk management.
• CISOs must make timely reports to an entity’s senior leadership on material cybersecurity issues, including on cybersecurity events and changes to the entity’s cybersecurity program.
• Previously required cybersecurity risk assessments must now be conducted annually, or whenever there is a material change to the covered entity’s cyber risk.
• Entities must now conduct annual cybersecurity awareness training that includes training on how to address social engineering.
• Incident response plans must now include business continuity and disaster recovery plans. These plans must also be tested annually.
• Entities must notify DFS within 24 hours after making an extorsion payment (i.e. a ransomware payment) and provide a detailed explanation of the reasons for making the payment within 30 days.

The amendments also created additional obligations for larger “Class A companies.” These are companies with a two-year average of (1) at least $20 million in gross revenue (including instate revenue from affiliates) and; (2) 2000 employees or $1 billion in total annual revenue (including all affiliate revenue). Class A companies must design and conduct independent cybersecurity program audits, implement a privileged access management solution that includes specific password requirements, and deploy an endpoint detection and response solution that includes logging and security event alerting.

Putting it Into Practice: These updated regulations continue to demonstrate that New York State remains hyper-focused on cybersecurity. Regulated entities should review the new regulations carefully and take care to ensure they update their policies and procedures to comply with the new requirements.