PH Privacy
Reminder: More New York Department of Financial Services (NYDFS) Requirements Go Into Effect Next Month
October 10, 2024
By Aaron Charfoos,Michelle A. Reed,& Brianne B. Powers
As we have previously written, late last year the New York Department of Financial Services (NYDFS) adopted long-awaited amendments to its Part 500 Cybersecurity Regulations (Part 500). These are some of the most significant changes to Part 500 since March 2017.
While some of those amendments went into effect immediately, others were pushed out on an extended timeline for implementation. The next round of amendments, including those related to cybersecurity governance, incident response and management, and encryption will go into effect for all covered entities, except those that qualify for an exemption, on November 1st.
Starting November 1st, covered entities[1], including Class A companies[2], are required to implement the following practices:
- Cybersecurity Governance: Chief Information Security Officers (CISOs) must report to senior governing bodies/senior officials on material cybersecurity issues (such as cybersecurity events or changes to the program) and plans for remediating material inadequacies in written reports. The senior governing bodies/senior officials must exercise oversight of cybersecurity risk management. (See Section 500.4)
- Incident Response and Business Continuity Management: Incident Response (IR) plans must be updated as specified and tested at least annually. Business Continuity and Disaster Response (BCDR) plans that are reasonably designed to address a cybersecurity-related disruption as specified must also be in place. Training must be provided to all employees with responsibilities under BCDR and the plans must be tested and updated as necessary. The tests should focus on the covered entity’s ability to restore critical data and information systems from backups and maintain and adequately protect backups necessary to restore material operations. (See Section 500.4)
- Encryption of Nonpublic Information (NPI): Covered entities must implement a written policy requiring encryption that meets industry standards and may no longer use effective alternative compensating controls for encryption of NPI in transit over external networks. Note, covered entities may use effective compensating controls for encryption of NPI at rest provided that the compensating controls are reviewed and approved in writing by the CISO at least annually. (See Section 500.15)
Requirements for Small Businesses
Starting November 1st, small businesses that qualify for partial exemptions under the amendments must also implement multi-factor authentication (Section 500.12(a)) and cybersecurity training (Section 500.14(a)(3)). More specifically, multi-factor authentication (MFA) must be implemented for remote access to information and third-party applications where NPI is accessible (including cloud applications), and to privileged accounts. Cybersecurity training must be provided to all personnel and should include details regarding social engineering.
Next Steps
Covered entities, Class A companies and small businesses still have a few weeks to examine and update their cybersecurity policies and practices or implement new ones to ensure they are fully onboard by the November 1st deadline. As applicable, covered entities, Class A companies and small businesses should:
- Review cybersecurity governance structure and standard practices for reporting to governing bodies.
- Update and test incident response and business continuity plans.
- Implement written encryption policies.
- Implement multi-factor authentication.
- Implement cybersecurity training with a focus on social engineering attacks.
NYDFS helpfully provides additional guidance at their Cybersecurity Resource Center and has also updated their list of Frequently Asked Questions in light of the upcoming deadline.
Our Data Privacy and Cybersecurity practice regularly advises on compliance with Part 500 and other cybersecurity regulations. If you have any questions concerning how these requirements may affect your organization, please do not hesitate to contact the members of our team.
[1] Under Part 500, a covered entity is “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law, regardless of whether the covered entity is also regulated by other government agencies.”
[2] Under Part 500, a Class A company is “a covered entity with at least $20,000,000 in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and the business operations in this State of the covered entity’s affiliates and: (1) over 2,000 employees averaged over the last two fiscal years, including employees of both the covered entity and all of its affiliates no matter where located; or (2) over $1,000,000,000 in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and all of its affiliates no matter where located. For purposes of this subdivision, when calculating the number of employees and gross annual revenue, affiliates shall include only those that share information systems, cybersecurity resources or all or any part of a cybersecurity program with the covered entity.”
Contributors
Practice Areas
Data Privacy and Cybersecurity
Privacy and Cybersecurity Solutions Group