The New York State Department of Financial Services (NYDFS) adopted comprehensive amendments to its cybersecurity regulation on Nov. 1, 2023. The amended regulation, including the notification provisions of §500.17, goes into effect on Dec. 1, 2023, with a compliance date of April 29, 2024, for most other provisions.

Some of the key changes relate to cyber incident notifications and implementation of multi-factor authentication (MFA). We will be following up with additional guidance on other changes to the regulation so your business can be prepared come April 2024.

Notice of Cybersecurity Incidents and Ransom Payments

Notice of Cybersecurity Incidents: Under the amended regulation, covered entities must now notify NYDFS of a qualifying “cybersecurity incident” (as opposed to a “cybersecurity event” under the prior regulation) within 72 hours. Cybersecurity incident is defined as:

A cybersecurity event (any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt, or misuse an information system or information stored on such information system) that has occurred at the covered entity, its affiliates, or a third-party service provider that

(1) impacts the covered entity and requires the covered entity to notify any government body, self-regulatory agency or any other supervisory body;

(2) has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity; or

(3) results in the deployment of ransomware within a material part of the covered entity’s information systems.

This amendment makes clear that cybersecurity incidents occurring at an affiliate or a third-party service provider can trigger notice to NYDFS.

Notably, the amendment also now requires a covered entity to notify NYDFS of ransomware incidents even when the incident does not have a reasonable likelihood of materially harming a material part of the covered entity’s operations. Although the amended regulation requires notice when the deployment of ransomware occurs within a material part of the covered entity’s systems, NYDFS’s assessment of public comments on the previously proposed amendments indicates that NYDFS takes the position that any deployment within the covered entity’s systems, regardless of whether it has a material impact, would require notice: “The Department believes notification to DFS when ransomware has been deployed is important enough to warrant mentioning explicitly.” §500.17.

Notice of Ransom Payments: Beginning on Dec. 1, 2023, covered entities will be required to notify NYDFS within 24 hours of making a ransom or other extortion payment in connection with a cybersecurity event involving the covered entity. Within 30 days of such payment, the covered entity must also provide a written description of the reasons payment was necessary, a description of alternatives considered, all diligence performed to find alternatives, and all diligence performed to ensure compliance with applicable rules and regulations, including those of the Office of Foreign Assets Control.

Multi-Factor Authentication

The amended regulation expands the requirements for MFA and removes the exemption for smaller companies.

Under the amended regulation, MFA will now be required for any individual accessing any of the covered entity’s information systems. For small companies that qualify for a limited exemption under §500.19(a), MFA will be required for:

(1) remote access to the covered entity’s information systems;

(2) remote access to third-party applications, including but not limited to those that are cloud based, from which nonpublic information is accessible; and

(3) all privileged accounts other than service accounts that prohibit interactive login.

Compensating controls: If the covered entity has a chief information security officer (CISO), the CISO may approve, in writing, the use of reasonably equivalent or more secure compensating controls, and such controls must be reviewed periodically, at least annually. §500.12.

Other Comprehensive Changes

The updates to the regulation significantly expand or add to the already existing requirements covered entities must follow. The changes impact areas such as board oversight, access privileges, monitoring, incident preparedness, and annual certifications. Stay tuned for a deeper dive on each of these topics.

[View source.]