On November 1, 2023, the New York State Department of Financial Services (DFS) announced its adoption of key changes to its cybersecurity regulations for the financial services industry. The amended regulations apply to “covered entities,” which include any individual or entity required to operate under a license, charter, certificate, permit, accreditation, or other authorization under the New York State Banking, Insurance, or Financial Services Laws, regardless of whether the individual or entity is also regulated by another government agency.
Although the amended regulations went into effect on November 1, 2023, they include several transitional periods, within which covered entities must comply with various requirements. The following is a summary of the key changes.
Changes Requiring Compliance by December 1, 2023
By December 1, 2023, covered entities must begin complying with the amended regulations’ revised reporting requirements. Specifically, within 72 hours after determining that a cybersecurity incident has occurred, covered entities must provide electronic notice of the incident to DFS. Also new is the requirement that covered entities promptly provide any information requested regarding the incident and update DFS on material changes or new information on a rolling basis as it becomes available.
By April 15 of each year, a covered entity must electronically submit either written certification that it complied with the DFS cybersecurity requirements during the prior calendar year or a written acknowledgement of its failure to materially comply. The certification or acknowledgement must meet specific content requirements.
The amended regulations also include a new notice requirement pertaining to extortion payments, requiring covered entities to provide electronic notice of any extortion payments made in connection with a cybersecurity event within 24 hours after payment. Within 30 days after payment, the covered entity must provide a written description of the reasons the payment was necessary, alternatives considered, diligence performed to find alternatives, and diligence performed to ensure compliance with applicable rules and regulations.
Changes Requiring Compliance by October 31, 2024
Within one year after November 1, 2023, covered entities must begin complying with revised and expanded governance, encryption, and response-plan requirements. Specifically, a covered entity’s chief information security officer (CISO) will be required to timely report material cybersecurity issues to the senior governing body (e.g., the entity’s board of directors) or senior officers. Material issues include significant cybersecurity events and significant changes to the covered entity’s cybersecurity program.
The amended regulations further obligate a covered entity’s senior governing body to oversee cybersecurity risk management. To exercise this oversight, the senior governing body must have a sufficient understanding of cybersecurity-related matters. The amended regulations also require executive management to develop, implement, and maintain the covered entity’s cybersecurity program; regularly receive and review management reports about cybersecurity matters; and confirm that management has allocated sufficient resources to implement and maintain an effective cybersecurity program.
The amended regulations also require covered entities to implement a written policy requiring encryption that meets industry standards and protects nonpublic information held or transmitted by the covered entity—in transit over external networks and at rest. Covered entities will also be required to establish written plans providing proactive measures to investigate and mitigate cybersecurity events and ensure operational resilience. These written plans must include an incident-response plan and a business-continuity and disaster-recovery plan. Covered entities must distribute or otherwise make these plans accessible to all employees necessary to implement them. They must also train employees responsible for the plans’ implementation. The plans must be tested and revised on at least an annual basis and must involve all management and staff critical to the response. Finally, covered entities must maintain backups necessary to restore material operations, and these backups must be adequately protected from unauthorized alterations or destruction.
Changes Requiring Compliance by May 1, 2025
Within 18 months after November 1, 2023, covered entities must begin complying with more robust vulnerability management, user-access privileges, and monitoring-and-training requirements. The new requirements for vulnerability management are expanded to include the development and implementation of written policies and procedures, which must be designed to assess and maintain the effectiveness of the covered entity’s cybersecurity program. By May 1, 2025, these written policies and procedures must ensure that covered entities conduct automated scans of information systems, as well as a manual review of systems not covered by the scans, for the purpose of discovering, analyzing, and reporting vulnerabilities at a frequency determined by the covered entity’s risk assessment—and promptly after any material system changes.
Covered entities also have 18 months to implement more robust user-access privilege requirements. Based on its risk assessment, a covered entity must:
- Grant user access to nonpublic information only when necessary to perform the user’s job
- Limit the number of privileged accounts
- Limit user access to privileged accounts to the extent necessary to perform the user’s job
- Review all user-access privileges, and remove or disable accounts and access that are no longer necessary on a periodic basis (but at least annually)
- Disable or securely configure all protocols that permit remote control of devices
- Promptly terminate access following departures
Moreover, if passwords are employed as a method of authentication, the covered entity must implement a written password policy that meets industry standards.
Finally, in terms of monitoring and training, covered entities will have 18 months to implement risk-based controls designed to protect against malicious code. Companies that meet the regulatory definition of a class A company (i.e., a company with at least $20 million in gross annual revenue in each of the last two fiscal years and with either more than 2,000 employees averaged over the last two fiscal years or over $1 billion in gross annual revenue in each of the last two fiscal years) must also implement an endpoint detection and response solution to monitor anomalous activity as well as a solution that centralizes logging and security event alerting. The CISO of such a company may approve the use of a reasonable equivalent or more secure compensating controls, so long as the CISO does so in writing.
Changes Requiring Compliance by October 31, 2025
Within two years after November 1, 2023, covered entities must use multifactor authentication for any individual accessing the covered entity’s information systems, unless the covered entity qualifies for a limited exemption from this requirement. In instances where the covered entity has a CISO, the CISO may approve the use of reasonably equivalent or more-secure compensating controls. The approval must be made in writing, and the controls must be reviewed at least annually.
Covered entities will also be required to implement written policies and procedures designed to produce and maintain a complete, accurate, and documented asset inventory of the covered entity’s information systems. At a minimum, the written policies and procedures must include a method to track key information for each asset, and the policies and procedures must specify the frequency required to update and validate the asset inventory.
Key Takeaway
The DFS’ amended cybersecurity regulations require a covered entity to review and, in some cases, overhaul policies, procedures, and systems currently in place. A covered entity’s failure to do so could lead to substantial negative consequences, since a single act (or failure to act) as required constitutes a violation. Covered entities should therefore review the amended cybersecurity regulations in their entirety as well as the implementation timelines and webinar information available on the DFS website.
Attorneys in Barclay Damon’s Data Security & Technology Practice Area are available to assist with reviewing and revising cybersecurity programs, including policies and procedures, and will continue to monitor any developments and best practices.
If you have any questions regarding the contents of this alert, please contact Kevin Szczepanski, Data Security & Technology Practice Area co-chair, at kszczepanski@barclaydamon.com; Dena DeFazio, associate, at ddefazio@barclaydamon.com; or another member of the firm’s Data Security & Technology Practice Area.