NYDFS Cybersecurity Regulation Deadlines Approaching on April 15 and April 29

Trisha Sircar
Katten Muchin Rosenman LLP
Contact
LinkedIn
Facebook
X
Send
Embed

On November 1, 2023, the New York State Department of Financial Services (NYDFS)  amended its cybersecurity regulation, 23 NYCRR 500 (or Part 500). NYDFS has published guidance on the implementation timeline for key compliance dates for the various categories of entities impacted (including Small Businesses, Class A Companies, and Covered Entities). In addition, NYDFS has published training materials and FAQs regarding the new requirements.

As of December 1, 2023, Small Businesses, Class A Companies, and Covered Entities were required to report cyber incidents, including ransomware attacks, to NYDFS. 

The next major deadline is April 15, 2024, for compliance with section 500.17(b) of amended Part 500. This requires all companies to submit a Certification of Material Compliance or Acknowledgment of Noncompliance to the NYDFS. NYDFS has provided in its FAQs that if a “Covered Entity cannot certify that it was in material compliance with the Cybersecurity Regulation for the prior calendar year, it must file a written Acknowledgment of Noncompliance which (1) acknowledges that the Covered Entity did not materially comply with all the requirements applicable to it; (2) identifies all sections of Part 500 that the Covered Entity has not materially complied with; (3) describes the nature and extent of such noncompliance; and (4) provides a remediation timeline or confirmation that remediation has been completed. 500.17(b).”  

By April 29, 2024, Covered Entities and Class A Companies must comply with most of the provisions under amended Part 500 (e.g., 500.2(c); 500.3; 500.5(a)(1), (b), and (c); 500.9; and 500.14(a)(3)). This includes updating their internal risk assessments, which they must continue to do at least annually or whenever a change in operations or technology causes a material change to the business’s cyber risk. In addition, they must comply with certain testing, monitoring, training, and audit requirements.

Under the amended Part 500, material compliance does not require absolute compliance. However, it does require entities to take a risk-based approach to assess their compliance needs and conduct an overall gap analysis of their current cybersecurity programs to comply with the amendments under Part 500. 

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Katten Muchin Rosenman LLP | Attorney Advertising

Written by:

Katten Muchin Rosenman LLP
Katten Muchin Rosenman LLP
Contact
more
less

Katten Muchin Rosenman LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide