In November of 2023, the New York State Department of Financial Services (NYDFS) amended 23 NYCRR Part 500, otherwise known as the Cybersecurity Regulation. While the rule is aimed predominately at the banking and insurance industries, many organizations outside the realm of banking and insurance will still be required to adhere to the rule. Before we get into the changes, let’s discuss what the Cybersecurity Regulation aims to accomplish.
Overview of the New York Cybersecurity Regulation
The Cybersecurity Regulation was originally placed into effect in March of 2017. The aim of the rule was to unify the approach of safeguarding nonpublic information warehoused on the information systems of organizations governed by NYDFS; this includes the protecting of information from hostile nation-states and terrorist organizations. Organizations that are required to adhere to the rule are herein referred to as covered entities.
As part of the original regulation, covered entities, inclusive of their affiliates, are required to:
- Cybersecurity Program: Maintain a cybersecurity program designed to protect nonpublic information stored on its systems.
- Cybersecurity Policy: Maintain a written policy surrounding the program.
- Chief Information Security Officer (CISO): Designate a CISO, whether employed internally or via a third-party service provider, responsible for overseeing, implementing, and reporting on the effectiveness of the program.
- Risk Assessments: Perform regular risk assessments designed to assess the effectiveness of the program.
- Access Controls: Limit access to information systems to authorized individuals.
- Training: Provide cybersecurity personnel with the appropriate training sufficient to manage the covered entity’s cybersecurity risks.
- Data Encryption: Implement encryption technology to protect nonpublic information held and transmitted.
- Incident Response: Maintain a written response plan for cybersecurity events; and
- Annual Compliance: Submit a written statement that the covered entity materially complied with the requirements of the Cybersecurity Regulation for the previous year.
While there are quite a few requirements, the rule does allow for limited or full exemptions based on a number of factors including, but not limited to, number of employees, gross annual revenue, and the ability to control nonpublic information.
So what changed with the November 2023 amendments to the New York Cybersecurity Regulation?
Generally speaking, the amendments largely strengthened the already established cybersecurity requirements:
- Class A Companies: Class A companies have additional requirements per the subsections of the Cybersecurity Regulation.
- Asset Management: Covered entities are required to document and maintain a complete inventory listing of its information systems.
- Enhanced Oversight: CISOs are required to “regularly” report to the senior governing body on material cybersecurity risks and the effectiveness of the entity’s cybersecurity program.
- Enhanced Risk Assessments: Penetration testing and scans (automated and manual) of information systems should be performed annually, as well as when material system changes have occurred.
- Enhanced Cybersecurity Program: Multi-factor Authentication must be utilized by all individuals accessing information systems, the implementation of endpoint (i.e. user devices) detection to monitor anomalous activity, and a solution that centralizes auditing/logging capabilities
- Enhanced Incident Response: Establish a written business continuity and disaster recovery (BCDR) plan that ensures the functionality of the information systems and protects the covered entity’s nonpublic information. There are several requirements that each BCDR should contain including, but not limited to the communication plan for a cybersecurity event, procedures for timely recovery of critical data, and the identification of the third parties necessary to the continued operations of the information systems.
- Enhanced Annual Compliance: By April 15, the highest-ranking executive and the CISO will need to attest to the compliance of the program to the Superintendent. Regarding instances of material non-compliance, a covered entity will need to provide a remediation plan and timeline.
- Extortion Payments: Cybersecurity incidents that involve an extortion payment are required to be reported to the Superintendent no later than 24 hours after payment. Within 30 days of the payment, an additional report will be submitted to the Superintendent describing the reasons that payment was necessary, description of alternatives considered, and all other diligence performed leading up to the payment.
What kind of penalties are there for non-compliance with NYCRR Part 500?
While the Cybersecurity Regulation doesn’t explicitly detail any penalty amounts, it does reference the enforcement provisions granted to NYDFS, which includes the ability to impose fines, penalties, and other enforcement actions such as the revocation of licenses. Penalties can range from thousands to millions of dollars depending on the severity and volume of violations, including the failure to remediate known issues. Perhaps the largest and most well-known organization to be penalized for failure to adhere to the Cybersecurity Regulation was Robinhood Crypto, the cryptocurrency arm of the popular investing platform, Robinhood. In 2022, the organization was fined a whopping $30 million for failing to comply with the requirements such as proper reporting and appropriate risk management.
What does all of this mean for cybersecurity at my organization?
Recall in the opening paragraph that this regulation was aimed at the banking and insurance sectors. However, affiliates to those types of organizations may also be required to comply.
Consider a healthcare system that has a captive insurance company governed by the NYDFS. All the affiliates with operations in New York would also be subject to this rule. Manufacturers that offer installment payment plans for customers may also be subject to the rule if plans are structured as credit products.
If you’re unsure whether NYCRR Part 500 applies to your organization, or if you need assistance with implementing the requirements, call Freed Maxick for a complimentary discussion.