On Nov. 9, 2022, the New York Department of Financial Services (NYDFS) issued a proposed second amendment to its 2017 cybersecurity regulation for financial service companies.[1] In July 2022, NYDFS issued a draft version of the changes, but the current amendment has significant changes. Most of the proposed changes will take effect 180 days after final regulation adoption, likely soon after the comment period closes on Jan. 9, 2023, making most new regulations effective after July 8, 2023.[2]

Go-To Guide:

  • Detailed requirements of NYDFS’ proposed amendments to the cybersecurity regulation;
  • Heightened requirements for larger financial services companies (“Class A Companies”);
  • Changes to limited exemptions.

***

The proposed amendments move beyond administrative and technical safeguards to granular regulations on cybersecurity governance and risk management. Additionally, NYDFS places stricter requirements, detailed below, on larger financial services companies, “Class A Companies.” Class A Companies are those with greater than or equal to $20 million in New York gross annual revenue in the last two fiscal years, and either: greater than 2,000 employees (including affiliate’s employees), or greater than $1 billion in gross annual revenue (including affiliate revenue) globally in the last two fiscal years. With the new regulations expected to take effect in 2023 (potentially as early as March for sections with a 30-day implementation timeline), companies should begin planning and budgeting for the changes now to avoid legal compliance risks.

New Requirements for All Covered Entities:

  • Chief Information Security Officer (CISO) Authority & Responsibility. Grant CISOs authority to manage cybersecurity risks appropriately, including the ability to direct sufficient resources to implement and maintain a cybersecurity program, and require that the CISO report to the senior governing body on any material cybersecurity issues. (500.4(a), (c))
  • Senior Governing Body. The Board of Directors, or similar managerial body, must annually approve the written cybersecurity policy which must include policies regarding data retention, asset disposition, security awareness and training, breach notification, encryption requirements for nonpublic information, and vulnerability management. (500.3, 500.15) Additionally, the Board must provide oversight and direction regarding management of the cyber risk management program. (500.4(d))
  • Vulnerability Management. Develop written vulnerability management policies and procedures, including: annual penetration testing inside/outside information systems’ boundaries; automated scans of information systems (manual review of systems not covered by scans)[3]; continuous monitoring for security vulnerabilities; and document material issues found during testing and report issues to the senior governing body and senior management. (500.5)
  • Access Management. Conduct at least annually a user access privilege review, promptly terminate access after employee departures, and implement a written password policy that meets industry standards. (500.7)
  • Multi-factor Authentication (MFA).[4] MFA implemented for remote access to all privileged accounts (admin or security accounts), as well as to access the entity or third-party applications (including cloud based) which host nonpublic information. If the CISO approves more secure compensating controls in writing, they must be reviewed at least annually. (500.12)
  • Data Inventory.[5] Maintain an asset inventory of all hardware and software, including their location and accessibility. (500.13)
  • Training and Monitoring. Implement controls that protect against malicious code, including on web traffic and email to block malicious content,[6] and provide at least annual training with social engineering exercises to all employees. (500.14(a))
  • Business Continuity, Disaster Recovery (BCDR), & Incident Response Plans (IRP). At least annually, test the ability to restore systems from network-isolated backups[7], and test and revise as needed their BCDR plan & IRP (including disruptive events like ransomware). Additionally, training must be provided to the employees responsible for implementing the respective plans.
    • BCDR Plan. In addition, the BCDR plan must: identify documents/data, personnel, facilities, infrastructure, and competencies essential to continued operations; identify the supervisory personnel responsible for implementing each aspect of the plans; include communications plans, procedures to create offsite backups and maintain backup facilities. The draft amendments would also require that relevant employees be trained for their implementation. (500.16)
  • Third Party Event Notification.[8] The 72-hour notification requirement for cybersecurity events now requires entities to report events affecting them which occur at or within third-party service providers. Entities are required to provide, via NYDFS’ website form, “any information requested regarding the investigation of the cybersecurity event,” with an ongoing obligation to update and supplement the NYDFS form.
  • Ransomware & Extortion Payment Reporting. Covered entities must now report if they experience a cybersecurity event involving ransomware. In addition, if extortion payments are made in connection with the ransomware event, the entity must: (1) submit notice of payment within 24 hours; and (2) within 30 days of payment, provide a written description of the reasons payment was necessary, a description of alternatives considered. (500.17)
  • Annual Certification of Compliance.[9] The certification now includes a written acknowledgement that provides remediation plans and a timeline for their implementation. (500.17)

New Requirements for Class A Companies:

  • Audits and Risk Assessments. Conduct an independent audit (using external auditors) of the cybersecurity program at least annually. (500.2(c)) Use external experts to conduct a risk assessment at least every three years. (500.9(d))
  • Access Management.[10] Implement privileged access management solution and an automated method of blocking commonly used passwords. (500.7(b))
  • Training and Monitoring.[11] Implement endpoint detection and response solution to monitor anomalous activity (including lateral movement), and a solution centralizing logging and security event alerting. (500.14(b))

The proposed amendments also provide changes to the limited exemptions for small companies. An entity (including affiliates) with either fewer than 20 employees (including independent contractors) or less than $15 million in year-end total assets, is exempt from the following regulation sections: 500.4 (CISO requirements), 500.5 (penetration testing and vulnerability assessments), 500.6 (audit trails), 500.8 (application security), 500.10 (cybersecurity personnel), 500.14 (training and monitoring), 500.15 (encryption), and 500.16 (BCDR & IRP Plans).

NYDFS has taken note of the comments submitted to the original draft changes published in July; while they retained many of the proposed changes, the new version provides clarifications, relaxes some of the implementation timelines, and removes certain requirements for Class A Companies (such as weekly vulnerability scans and requiring password vaults for privileged access).

Learn about GT’s Tabletops/Incident Response Training.


[1] 23 NYCRR § 500 et seq.

[2] The amendment’s 60-day comment period is open to public feedback until 5 pm EST on Monday, Jan. 9, 2023. Comments must be submitted in writing either via email or by mail to the New York State Department of Financial Services c/o Cybersecurity Division, Attn: Joanne Berman, One State Street, Floor 19, New York, NY, 10004. No special form is required.

[3] Covered entities have 18 months from the amendment’s effective date to implement automated scans of information systems per 500.5(a)(2).

[4] Covered entities have 18 months from the amendment’s effective date to implement MFA per 500.12(b).

[5] Covered entities have two years from the amendment’s effective date to implement the asset management and data inventory requirements per 500.13(a).

[6] Covered entities have 18 months from the amendment’s effective date to implement protections against malicious code per 500.14(a)(2).

[7] Covered entities have one year from the amendment’s effective date to implement network isolated backups per 500.16(e).

[8] Covered entities have 30 days from the amendment’s effective date to implement notification requirements per 500.17.

[9] Covered entities have 30 days from the amendment’s effective date to implement notification requirements per 500.17.

[10] Class A companies have 18 months from the amendment’s effective date to implement changes to passwords per 500.7(b).

[11] Class A companies have 18 months from the amendment’s effective date to implement endpoint and centralized logging solutions per 500.14(b).

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Timothy A. Butler Timothy A. Butler

Tim Butler helps companies thrive by developing tailored strategies to address their regulatory compliance challenges and vigorously defending them in government enforcement actions and bet-the-company lawsuits.

A former prosecuting attorney for the Federal Trade Commission (FTC) and former senior official in the Georgia

Tim Butler helps companies thrive by developing tailored strategies to address their regulatory compliance challenges and vigorously defending them in government enforcement actions and bet-the-company lawsuits.

A former prosecuting attorney for the Federal Trade Commission (FTC) and former senior official in the Georgia Attorney General’s Office, Tim has led the defense of dozens of government investigations and enforcement actions brought by the FTC, the Consumer Financial Protection Bureau (CFPB), and the various state attorneys general. Tim also regularly defends clients in bet-the-company lawsuits, including complex business disputes and consumer class actions alleging privacy, false advertising, and unfair or deceptive business practice claims.

Tim is an experienced guide for companies struggling with regulatory complexity. He offers clear advice that helps his clients meet the demands of the ever-growing set of laws and regulations governing data privacy and cybersecurity, advertising and marketing practices, and consumer financial products and services. Clients rely on Tim’s business-minded and practical strategies to address their most difficult regulatory compliance challenges.

A graduate of the University of Chicago and Stanford Law School, Tim is a prolific author and regularly speaks to industry and trade groups about the evolving privacy landscape, about cutting-edge issues affecting payments and fintech companies, and about developments at the FTC, the CFPB, and within the state attorneys general community.

Photo of Matthew White Matthew White

Matt White guides clients through regulatory compliance challenges and represents clients in regulatory and civil investigations and litigation.

Matt has counseled fintech and payment companies on regulatory compliance matters, including those involving the Electronic Fund Transfer Act, the Fair Credit Reporting Act, the…

Matt White guides clients through regulatory compliance challenges and represents clients in regulatory and civil investigations and litigation.

Matt has counseled fintech and payment companies on regulatory compliance matters, including those involving the Electronic Fund Transfer Act, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Truth in Lending Act, and their respective implementing regulations (Regulations E, V, P, and Z). Adept with the Consumer Financial Protection Bureau’s (CFPB) Prepaid Rule, Matt has provided guidance regarding prepaid cards and related compliance.

Matt has also aided clients in developing regulatory compliant products and functionalities, including an earned wage access program, reimbursement prepaid card programs, new merchant cash advance products, and tokenized payment capabilities. In connection with products on which Matt advises, he has also negotiated high-stakes technology sales agreements involving complex regulatory issues, including compliance with data privacy laws, financial regulations, and card network rules.

Beyond helping clients strategize for regulatory complexity, Matt also helps clients navigate government investigations and enforcement actions brought by the Federal Trade Commission (FTC), CFPB, and state attorneys general.

Photo of Michael A. Berlin Michael A. Berlin

Michael A. Berlin focuses his practice on financial and insurance regulatory investigations, white collar defense, consumer fraud defense, Medicaid fraud investigations, government affairs, and general litigation matters. In addition, Michael leads Greenberg Traurig’s State Attorney General Practice.

Michael, in addition to his work…

Michael A. Berlin focuses his practice on financial and insurance regulatory investigations, white collar defense, consumer fraud defense, Medicaid fraud investigations, government affairs, and general litigation matters. In addition, Michael leads Greenberg Traurig’s State Attorney General Practice.

Michael, in addition to his work before numerous state and federal authorities, has wide-ranging experience in front of both the New York Attorney General’s office and Attorney Generals’ offices nationwide in both investigations by individual offices and multi-state matters. Michael regularly appears before the New York State Department of Financial Services and other states Insurance and Banking Departments in both regulatory and investigatory matters. Michael also represents numerous health care providers in both federal and state fraud investigations. He conducts internal investigations and represents a wide array of corporations and individuals in complex challenges to government actions.

Photo of Tessa Cierny Tessa Cierny

Tessa Cierny advises companies on financial technology and data privacy issues. She has experience counseling companies on state and federal regulatory compliance, including existing and emerging privacy laws, such as the E.U.’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act

Tessa Cierny advises companies on financial technology and data privacy issues. She has experience counseling companies on state and federal regulatory compliance, including existing and emerging privacy laws, such as the E.U.’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), as well as financial and banking regulations, such as the CFPB’s Section 1071 Small Business Lending Rule (Regulation B). In addition, she assists clients in defending business disputes and data breach litigation.

Prior to joining Greenberg Traurig, she served as global records manager for WestRock, where she developed and implemented email and data retention policies for global data privacy regulation compliance. In this role, she also advised on data privacy concerns related to data retention, data loss prevention, and data governance.