[c0-author: Amy Gopinathan]

On November 1, 2023, New York Department of Financial Services (NYDFS or the “Department”) released the finalized revisions (the “Second Amendment”) to 23 NYCRR Part 500 (Part 500) – the most significant modifications to Part 500 since it was first enacted in 2017 and established cybersecurity requirements for NYDFS-regulated entities.¹ The revisions, the Department explains in the introduction to its Cybersecurity Resource Center, are aimed at addressing the changes in the increasing sophistication of threat actors, the prevalence of and relative ease in executing cyberattacks, and the availability of additional controls to manage cyber risk (at a reasonable cost). These changes mark the culmination of an approximately yearlong effort, which first began in July 2022, when the Department published a “pre-proposed” draft amendment, which was revised first on November 9, 2022, and again on June 28, 2023, before being finalized on November 1, 2023. Throughout this process, the NYDFS solicited, considered, and responded to public comments.

The finalized version of Part 500 includes some notable changes (described in more detail below) that are significant for a number of reasons. First, a number of the new obligations may require significant enhancement to and investment in a covered entity’s cybersecurity program. Second, the new rules (and articulated rationale behind them) portend an overall increase in NYDFS investigative and enforcement activity with respect to cybersecurity. Third, it is possible that these more stringent requirements will be adopted by other regulators and ultimately impact non-NYDFS covered entities. For example, the Federal Trade Commission (FTC) recently updated the Gramm-Leach-Bliley Act’s Safeguards Rule to create stricter security requirements for non-banking financial institutions. It is possible that the FTC will look to the updated version of Part 500 for future updates to the Safeguards Rule.

While NYDFS-regulated entities should conduct an overall review of their current cybersecurity programs to identify gaps in compliance with the new regulations and create a plan to address those gaps in a timely fashion, some specific initial priorities include: (1) identifying key compliance dates; (2) reviewing incident response plans and procedures to confirm that there are mechanisms to comply with the new incident reporting requirements (effective December 1, 2023); (3) assessing whether the entity constitutes a “Class A” company (as Class A Companies must follow certain specific additional requirements versus other types of entities); and (4) considering how, if at all, the new regulations impact the overall certification process for the year 2023 (noting that although certification will take place in April, it will be as of December 31, 2023).

We have identified key features of the Second Amendment below, as well as the deadlines that covered entities should pay attention to moving forward. We will continue to provide notable updates on this topic and others on the WilmerHale Privacy and Cybersecurity Law blog.

Key Features of the Second Amendment to Part 500

• Class A Companies (500.1(d)). Creates a category of companies called “Class A Companies” for which there are specific additional requirements. According to the regulation, Class A Companies are “covered entities with at least $20,000,000 in gross annual revenue in each of the last two fiscal years from business operations of the covered entity and its affiliates in” New York and: (1) over 2,000 employees averaged over the last two fiscal years, including employees of both the covered entity and all of its affiliates no matter where located; or (2) over $1,000,000,000 in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and all of its affiliates. The regulation also clarifies that “when calculating the number of employees and gross annual revenue, affiliates shall include only those that share information systems, cybersecurity resources or all or any part of a cybersecurity program with the covered entity.” Class A-specific requirements include:
  • Audits (500.2(c)). Requires independent audits of the covered entity’s cybersecurity program based on its risk assessment.²
  • Access monitoring (500.7(c)). Requires monitoring of privileged access activity and implementation of: (1) a privileged access management solution; and (2) an automated method of blocking commonly used passwords (CISO-approved compensating controls are permitted so long as they are in writing and approved annually).
  • Endpoint security (500.14(b)). Unless the CISO has approved in writing the use of reasonably equivalent or more secure compensating controls, each Class A Company must implement: (1) an endpoint detection and response solution to monitor anomalous activity; and (2) a solution that centralizes logging and security event alerting.
• Cybersecurity policy (500.3). Requires annual approval of the cybersecurity program policy by a senior officer or the covered entity’s senior governing body and adds additional areas to cover, including: data retention, end of life management, remote access, systems and network security monitoring, security awareness and training, incident notification, and vulnerability management.
• CISO (500.4). Retains the requirement for a specific CISO for the covered entity, while defining CISO as “a qualified individual responsible for overseeing and implementing a covered entity’s cybersecurity program and enforcing its cybersecurity policy.” It also requires the CISO to “timely report” to the senior governing body of the covered entity or senior officer(s) on material cybersecurity issues (e.g., significant cybersecurity events and significant cybersecurity program changes).
• Senior governing body (i.e., board or equivalent) oversight (500.4(d)). Requires a “senior governing body” of the covered entity to exercise effective cybersecurity-related oversight including by having sufficient understanding to exercise that oversight and requiring that the entity’s executive management or its designees develop, implement, and maintain the covered entity’s cybersecurity program.³ The revised rule also clarifies that for any cybersecurity program or part of a cybersecurity program adopted from an affiliate under section 500.2(d), the senior governing body may be that of the affiliate.
• Vulnerability management (500.5). Removes the carve-out for continuous monitoring and instead requires that vulnerability management policies and procedures require that covered entities conduct, at a minimum, annual penetration testing from both inside and outside the information systems’ boundaries by a qualified internal or external party as well as automated scans of information systems, and a manual review of systems not covered by such scans. It also adds a requirement that all vulnerabilities must be timely remediated and prioritized by the risk posed to the covered entity.
• Access and privilege management (500.7). Requires that, based on the covered entity’s risk assessment, the covered entity take certain steps related to access and privilege management (e.g., limiting the number of privileged accounts and access functions of privileged accounts to only those necessary to perform the user’s job; periodically, but at a minimum annually, reviewing all user access privileges and removing or disabling accounts and access that are no longer necessary; etc.).
• Password policy (500.7). Requires a written password policy that meets industry standards to the extent that passwords are employed as a method of authentication.
• Application security (500.8). Requires that application security procedures, guidelines, and standards be reviewed at least annually.
• Risk assessment (500.9). Specifies that risk assessment must be reviewed and updated at least annually as well as when a change in the business or technology causes a material change to the covered entity’s cyber risk. It adds the following detail to the definition of risk assessment: “means the process of identifying, estimating and prioritizing cybersecurity risks to organizational operations (including mission, functions, image and reputation), organizational assets, individuals, customers, consumers, other organizations and critical infrastructure resulting from the operation of an information system. Risk assessments incorporate threat and vulnerability analyses and consider mitigations provided by security controls planned or in place.”
• Multi-factor authentication (MFA) (500.12). Requires that MFA be used for any individual accessing the covered entity’s information systems unless the entity is eligible for a limited exception.⁴ Also specifies that the CISO may approve in writing compensating controls and that such controls, if applied, must be reviewed annually.
• Asset management and data retention (500.13(a)). Requires implementation of policies and procedures that produce and maintain a complete and accurate asset management inventory of the covered entity’s information systems. Policies and procedures must include a method to track key information for each asset including, as applicable, the owner; location, classification or sensitivity; support expiration date; recovery time objectives; and frequency required to update/validate asset inventory.
• Monitoring (500.14(b)). Requires covered entities to implement risk-based controls designed to protect against malicious code (which includes controls that monitor and filter web traffic and email to block malicious content).
• Training (500.14(a)(3)). Specifies that training must occur at least annually and must include social engineering training.
• Encryption (500.15). Requires a “written policy requiring encryption that meets industry standards.” It notably removes the infeasibility exception for encryption in transit, while maintaining the infeasibility exception for encryption at rest (but clarifies that the CISO’s annual review and approval of feasibility and compensating controls must be in writing).
• Incident response and business continuity and disaster recovery (500.16).
  • Requires that incident response plans address disruptive events such as ransomware incidents, recovery from backups, and preparation of root cause analysis.
  • Requires covered entities to have a Business Continuity and Disaster Recovery (BCDR) Plan that meets certain specifications including, for example, that it: (1) identifies essential documents, data, facilities, infrastructure, services, personnel, and competencies; (2) identifies all supervisory personnel responsible for BCDR implementation; (3) includes a plan to communicate with essential persons (for cybersecurity-related disruptions); (4) includes procedures for timely recovery of critical data and systems and resumption of operations as soon as possible (for cybersecurity-related disruptions); (5) includes procedures for backing up or copying with sufficient frequency the information essential to operations of the covered entity and storing the information off-site; and (6) identifies third parties necessary to continued operations of the covered entity’s information systems.
  • Requires annual testing of both the BCDR and the incident response plans (which includes a test of the covered entity’s ability to restore its critical data and information system from backups) and relevant training.
• Notice of cybersecurity incidents and extortion payments (500.17(a); 500.17(c)).
  • Requires notice of all cybersecurity incidents within 72 hours after determining that the event has occurred. Cybersecurity Incident is defined as a cybersecurity event that has occurred at the covered entity, its affiliates, or a third-party service provider that: (i) impacts the covered entity and requires notice to other regulatory agencies/supervisory bodies; (ii) is reasonably likely to materially impact any material part of the normal operations of the covered entity; or (iii) results in deployment of ransomware within a material part of the covered entity’s systems.⁵ Notably, the Second Amendment confers upon covered entities a continuous obligation to update the superintendent with material changes or new information previously unavailable.
  • Requires notice and explanation of extortion payments made in connection with cybersecurity events involving the covered entity within 24 hours of the payment. Additionally, within 30 days of the extortion payment, the covered entity must submit a written description of the reasons payment was necessary, a description of alternatives considered, all diligence performed to find alternatives to payment, and all diligence performed to ensure compliance with applicable rules and regulations.
• Certification (500.17(b)). Revises the certification process to include the option that the covered entity: (i) certifies that it materially complied with the requirements in Part 500 during the prior calendar year (with certification to be based upon data and documentation sufficient to accurately determine and demonstrate such compliance); or (ii) acknowledges in writing that it did not fully comply with all the requirements of Part 500 and, as part of that acknowledgment, the covered entity must (a) identify any and all sections of Part 500 with which the covered entity did not materially comply and describe the nature and extent of the noncompliance; and (b) provide a remediation timeline or confirmation that remediation has been completed. Certification must be signed by both the covered entity’s highest-ranking executive and CISO (or senior officer responsible for the cybersecurity program in the absence of a CISO).
• Enforcement (500.20). Adds language specifying that violations of Part 500 include: (i) the failure to secure or prevent unauthorized access to an individual’s or an entity’s nonpublic information due to noncompliance with any section of Part 500; or (ii) the material failure to comply for any 24-hour period with any section of Part 500.

Looking Ahead

The new rule will take effect at various points over the next two years with a series of staggered transition periods for various provisions.⁶ Additionally, the Department has published guidance on the implementation timeline for key compliance dates for the various categories of entities impacted (e.g., Small Businesses, Class A Businesses, and Covered Entities). The first deadline for all categories of entities to begin compliance with the Second Amendment is December 1, 2023, for compliance with section 500.17(a), which requires providing NYDFS with notice of cybersecurity events reported to other authorities as well as ransomware. The next major deadline is April 15, 2024, for compliance with section 500.17(b) – which requires all entities to submit a Certification of Material Compliance or Acknowledgment of Noncompliance for the year 2023. To facilitate compliance with the new rules, the Department is also hosting three training webinars requiring advance registration – the first of which took place on November 15, 2023. The Department has indicated that the training will be recorded and posted publicly and that there will be additional sessions for insurance producers and mortgage loan originators.

¹ Covered Entity is defined under Part 500 as “any person operating under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law, regardless of whether the covered entity is also regulated by other government agencies.”

² Note that independent audit is defined as “an audit conducted by internal or external auditors free to make decisions not influenced by the covered entity being audited or by its owners, managers or employees.”

³ Note that “senior governing body” is defined as board of directors (or an appropriate committee thereof) or equivalent governing body or, if neither of those exist, the senior officer or officers of a covered entity responsible for the covered entity’s cybersecurity program.

⁴ Even if the entity were eligible for a limited exception, MFA would still be required for: (1) remote access to the covered entity’s information systems; (2) remote access to third party applications, including but not limited to those that are cloud based, from which nonpublic information is accessible; and (3) all privileged accounts other than service accounts that prohibit interactive login.

⁵ Note the definition of “cybersecurity event” remains unchanged.

⁶ Transitional periods are as follows: one year for sections 500.4(b), 500.5, 500.9, 500.12, and 500.14(b); 18 months for sections 500.6, 500.8, 500.13, 500.14 (a), and 500.15; two years for section 500.11 of this Part; and 180 days for all other sections. See 500.22.