NYDFS Finalizes Amendments to Cybersecurity Regulation Impacting Financial Services Companies

NYDFS Finalizes Amendments to Cybersecurity Regulation Impacting Financial Services Companies


On November 1, 2023, the New York Department of Financial Services (NYDFS) amended Part 500, the cybersecurity regulation. These updates follow numerous NYDFS enforcement actions and other new cybersecurity rules, such as the updated US Securities and Exchange Commission cybersecurity reporting requirements and the proposed cybersecurity audit regulations under the California Consumer Privacy Act.

The new NYDFS rules mandate increased board oversight, “independent” audits for large companies, incident response planning and testing (e.g., tabletops), maintained asset inventories, more extensive RNYDFS reporting and many new technical controls. Businesses regulated by the NYDFS (including financial institutions and insurance companies) must certify they comply with most requirements by April 2024. Reporting requirements, however, will take effect before April 2024.

Extensive work will be needed in a short amount of time, so covered entities should begin updating policies, procedures and incident response plans, conducting tabletop exercises, launching new cybersecurity training, and preparing management and the board for their new oversight activities. Below is a non-exhaustive summary of the major requirements.

In Depth

Introduction of “Class A companies”: The updated cybersecurity regulations create a new category for larger corporations called “Class A companies.” These entities are held to stricter standards.

  • Class A companies include covered entities with at least $20 million in gross annual revenue from business operations in New York and either more than 2,000 employees or more than $1 billion in gross annual revenue from business operations in all states.
  • Class A companies are now required to conduct audits of their cybersecurity programs; those audits must be independent. Notably, an independent audit can still be conducted by an internal auditor if the auditor is free from influence (not unlike a data protection officer employed under the General Data Protection Regulation). This requirement may make it challenging for companies to conduct legally privileged audits.

New board/c-suite obligations: Executives, board members and senior officers now have specific responsibilities to oversee the covered entities’ cybersecurity program. These internal governance bodies are crucial to the proper functioning of a cybersecurity program and highlight regulators’ increased focus on the board’s role in cybersecurity oversight.

  • Chief information security officers are now required to report to the board or other equivalent bodies on material cybersecurity issues (e.g., significant cybersecurity events or changes to cybersecurity programs).
  • The board or other equivalent bodies now have specific obligations to oversee cybersecurity risk management, including reviewing regular management reports and confirming that the cybersecurity program is properly funded.
  • Boards and equivalent bodies must be qualified to conduct these oversight activities, including by undergoing training as necessary.

Cybersecurity policy updates: Covered entities must now document and maintain several additional cybersecurity policies and procedures (or ensure that their existing cybersecurity policies and procedures cover these new areas).

  • Covered entities must maintain policies governing data retention, end-of-life management, remote access, security awareness and training, incident notification and vulnerability management.
  • Covered entities must document procedures implementing each policy.
  • Policies must be approved annually by the board or other equivalent bodies.

Enhanced technical security controls: The cybersecurity regulations impose additional technical requirements.

  • Risk assessments must be conducted at least annually.
  • More robust access management requirements are required, including annual reviews of all user access privileges.
  • Multifactor authentication is now required (not just suggested) for any individual accessing a covered entity’s information systems. There is a narrow carve-out for entities below certain headcount, revenue or asset thresholds, but even those entities must use multifactor authentication in designated situations, such as remote access.
  • Covered entities must monitor and filter web traffic and email to protect against malicious code.
  • Cybersecurity awareness training must be provided annually.

Incident response plans and business continuity management: Covered entities must have documented business continuity and disaster recovery (BCDR) plans and include more specific content in incident response plans (IRPs).

  • IRPs must now identify how covered entities will recover backups and include instructions for a root cause analysis following an incident.
  • Covered entities must maintain BCDR plans that identify critical business functions, include communication plans in the event of cybersecurity-related disruption, detail procedures for backups and recovery of impacted data, and other requirements.
  • IRPs and BCDR plans must be tested annually (e.g., via a tabletop exercise).

Asset inventories: Covered entities must now maintain asset inventories.

  • Asset inventories must include the owner, location, classification or sensitivity, support expiration date and recovery time objectives.
  • Covered entities must document how often they update and validate the asset inventories.

Notice requirements for cybersecurity incidents: Covered entities must notify the superintendent about additional cybersecurity incidents.

  • Superintendent notice is now required for a broader range of cybersecurity incidents, including a ransomware attack in a material part of the company’s information systems.
  • For any extortion payments, covered entities must provide electronic notice to the superintendent within 24 hours of the payment and provide additional detailed information within 30 days.

Exemptions: Limited exemptions from these requirements are available in slightly more circumstances, such as if a company meets any of the following criteria:

  • If it has fewer than 20 employees (instead of 10).
  • If it recorded less than $7.5 million in gross annual revenue in each of the last three fiscal years (instead of $5 million).
  • If it recorded less than $15 million in year-end total assets (instead of $10 million).

Deadlines for compliance: Unless otherwise specified, the amendments will take effect on April 29, 2024. The exceptions to this compliance date are as follows:

Timeline from November 1, 2023 Compliance Area Expected
30 days
  • Notices to NY DFS in the event of a Cybersecurity Incident
One year
  • Cybersecurity governance requirements
  • Additional encryption requirements
  • IRP and BCDR plan updates
  • Limited exemptions take effect
18 months
  • Automated vulnerability scans
  • Additional access management obligations
  • Implementation of risk-based controls to protect against malware, like email scanning
  • For Class A companies, implementation of an endpoint detection and response solution
Two years
  • Additional multifactor authentication requirements
  • Asset inventory requirements

Given the significant number of new requirements, covered entities should act quickly to assess any gaps and develop work plans to fill them. For assistance with conducting an assessment or implementing the new requirements, please contact the authors or your regular McDermott lawyer.

The authors thank John Ying and Heidi Steele for their invaluable input on this article.