New York Amends Cybersecurity Requirements for Financial Services Companies | Practical Law

New York Amends Cybersecurity Requirements for Financial Services Companies | Practical Law

The New York State Department of Financial Services (NYDFS) has finalized amendments to its Cybersecurity Requirements for Financial Services Companies to require enhanced governance, additional controls to prevent and detect unauthorized information systems access and cyberattacks, more regular risk and vulnerability assessments, new ransomware and compliance notices, and annual cybersecurity training.

New York Amends Cybersecurity Requirements for Financial Services Companies

Practical Law Legal Update w-041-2508 (Approx. 5 pages)

New York Amends Cybersecurity Requirements for Financial Services Companies

by Practical Law Data Privacy & Cybersecurity
Published on 02 Nov 2023New York
The New York State Department of Financial Services (NYDFS) has finalized amendments to its Cybersecurity Requirements for Financial Services Companies to require enhanced governance, additional controls to prevent and detect unauthorized information systems access and cyberattacks, more regular risk and vulnerability assessments, new ransomware and compliance notices, and annual cybersecurity training.
On November 1, 2023, New York Governor Kathy Hochul announced in a press release that the New York State Department of Financial Services (NYDFS) amended its cybersecurity regulations for the financial service industry (23 NYCRR §§ 500.0 to 500.24) (Part 500) to enhance cyber governance, mitigate risks, and better protect businesses and consumers from cyber threats.
The wide-ranging amendments update the NYDFS' risk-based approach to cybersecurity regulation and add new obligations for large financial service entities, referred to as Class A companies. New requirements for all covered entities include:
  • Vulnerability management improvements, including:
    • penetration testing from both inside and outside information system boundaries by a qualified internal or external party, at least annually;
    • automated information system scans and manual reviews when automated scans cannot cover a system to discover, analyze, and report vulnerabilities, at pre-determined frequencies and promptly after material systems changes; and
    • timely remediation of discovered vulnerabilities using a risk-based prioritization.
  • Access privileges and management enhancements, including:
    • limiting privileged account use and numbers to only those people and time periods necessary for job performance and functions;
    • review of all user access privileges at least annually, removing or disabling accounts and access once they are unnecessary, and promptly terminating access following departures;
    • disabling or securely configuring all protocols that permit remote control of devices; and
    • a written password policy that meets industry standards.
  • Annual reviews, at minimum, of all cybersecurity program documentation and risk assessments, and updated risk assessments whenever business or technology changes cause a material change to the covered entity's cyber risk.
  • Multi-factor authentication (MFA) use whenever anyone accesses any information system unless a limited exemption applies. However, covered entities that qualify for the limited exemption must still use MFA for:
    • remote access to its information systems;
    • remote access to third-party applications; and
    • all privileged accounts except service accounts that prohibit interactive logins.
  • Expanded written program documentation, including:
    • asset management policies and procedures to completely and accurately document information systems' inventory, including methods to track key information for each asset and an appropriate updating frequency; and
    • a business continuity and disaster recovery plan, supplementing the already required incident response plan, with specific content, employee training, and testing requirements.
  • Increased monitoring and employee training, including risk-based controls to protect against malicious code, websites, and emails, and company-wide cybersecurity awareness training that includes social engineering, conducted at least annually.
  • Specific NYDFS Superintendent written notifications, including:
    • whether the covered entity materially complied with Part 500's requirements during the prior calendar year and, if not, that fully describes any material noncompliance, by section, and provides a remediation timeline or confirmation that remediation was already completed, delivered electronically by April 15 each year; and
    • whenever a covered entity makes a cybersecurity event-related extortion payment (ransomware), within 24 hours of the payment and, within 30 days of the payment, provides additional, specific details about the event.
Chief Information Security Officers (CISOs) must also timely report to the senior governing body or senior officers on material cybersecurity issues and that senior governing body must exercise oversight control of the covered entity's cybersecurity risk management.
Class A companies must also:
  • Design and conduct independent audits of its cybersecurity program based on its risk assessment.
  • Monitor privileged access activity by implementing a privileged access management solution and automatically block commonly used passwords for all accounts the Class A company owns or controls, with limited exceptions and alternatives for infeasibility.
  • Implement both an endpoint detection and response solution to monitor anomalous activity and a solution that centralizes logging and security event alerting.
Covered entities meet the new Class A company threshold when over the last two fiscal years, they have both:
  • At least $20 million in gross annual revenue from all business operations, including those of any New York affiliates that share its information systems, cybersecurity resources, or any part of its cybersecurity program.
  • Including its affiliates located anywhere, more than:
    • 2,000 employees on average; or
    • $1 billion in gross annual revenue from all business operations.
The amendments also expand Part 500's limited exemption for small entities to those meeting one of the following criteria:
  • Fewer than 20 employees and independent contractors, including all its affiliates.
  • Less than $7.5 million in gross annual revenue in each of the last three fiscal years from all business operations, including its affiliates' New York business operations.
  • Less than $15 million in year-end total assets, including all affiliates' assets, calculated according to generally accepted accounting principles.
While the amendments to Part 500 took immediate effect, covered entities have various transitional periods ranging from December 1, 2023 to November 1, 2025 to comply with certain new requirements. For more on the specific transition periods, see the NYDFS Implementation Timelines for Covered Entities, Class A Companies, and Small Businesses.
For more on meeting Part 500's requirements, see Practice Note, The NYDFS Cybersecurity Regulations.