<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=1354242&amp;fmt=gif">

Navigating Regulatory Changes: A Look into the NYDFS Cybersecurity Regulation

On November 1st, 2023, the New York Department of Financial Services (“NYDFS”) published its second amendment to the cybersecurity regulation 23 NYCRR 500. This amendment reflects New York’s approach to mitigating cybersecurity risks for financial institutions that it supervises. 

Whether you or your clients need to comply with this regulation, or are looking to see what controls regulators are requiring, it is important to: 

  • Review the requirements with your security and compliance teams

  • Perform an internal gap assessment

  • Ensure that your organization has the controls or remediation plans in place to comply

Not sure where to start? 

Don’t worry, we put together a NYDFS toolkit for Corvus policyholders and a free consultation with attorneys that focus on privacy and security compliance! Email us to request your toolkit or the free consultation.

 

Here is a breakdown of the key changes:

 

Definitions

New York has added new terms and definitions in an attempt to provide further clarity on compliance.

Term

Definition 

Class A Companies

A new classification of organizations that have at least $20 million in gross annual revenue in each of the last two fiscal years in New York and either 
  • Over 2,000 employees over the last two fiscal years 
  • Over $1 billion in gross annual revenue in each of the last two years from all business operations

Privileged Account

Authorized user or service accounts that can be used to perform security-related functions that ordinary users are not authorized to perform, including but not limited to the ability to add, change, or remove other accounts, or make configuration changes to information systems.

Senior governing body 

The board of directors (or an appropriate committee thereof) or equivalent governing body. If neither exists, then the senior officer or officers responsible for the organization’s cybersecurity program.

Policies and Procedures

The amendment adds requirements around the organization’s policies and procedures, emphasizing the importance of these as the foundation of a cybersecurity program. This may require an additional time investment and resources to stay compliant. 

Section

Change

500.3 - Cybersecurity Policy

Procedures developed, documented, and implemented in accordance with the controls covered in the policies. This includes the addition of data retention, end of life management, vulnerability management, and more. 

500.15 - Encryption of Nonpublic Information

Implement a written policy requiring encryption that meets industry standards, to protect nonpublic information held or transmitted by the organization both in transit and at rest. 

500.16 - Incident response and business continuity management

Establishing written incident response, business continuity and disaster recovery plans, with specific requirements for each.

Cybersecurity Controls

New controls have been introduced while existing ones have been updated to align with the evolving cybersecurity landscape. This means not only more resources and time spent on implementing these new or modified controls but also potentially additional tooling to meet compliance.  

Section

Change

500.5 - Vulnerability Management

Modified current requirement to:

Conduct at minimum:
  • Annual penetration tests
  • Automated scans alongside manual reviews for identifying, analyzing, reporting, and remediating vulnerabilities timely.

500.7 - Access privileges and management

Modified current requirement to:

Implement access management controls to adhere to the principle of least privilege, including:
  • Limit user access privileges to those necessary for the user’s job
  • Limit the number of privileged accounts and the privileges that these accounts have
  • Limit the use of privileged accounts to only when performing functions requiring the use of these accounts
  • Review all user access privileges at least annually.

500.13 - Asset management and data retention requirements.

New requirement:

Produce, maintain and update an asset inventory and track key information for each asset, including owner, location, classification/sensitivity, expiration dates, and recovery time objectives.

Class A Companies

Additional requirements for Class A companies, as defined above in the definitions section, highlights the heightened cybersecurity expectations for larger entities. These come from the potential widespread impact of incidents, the inherent challenges posed by the complexity and scale of their operations, and the public expectations for robust cybersecurity measures to safeguard sensitive data and maintain trust. Depending on your current environment, this could result in more investments in time, resources, tooling, and bringing on an auditing firm to meet the independent audit requirement. 

Section

Change

500.2 - Cybersecurity program

Design and conduct an independent audit of their cybersecurity program based on its risk assessment. 

500.7 - Access privileges and management

Implement a privileged access management solution and an automated way of blocking commonly used passwords for all accounts on systems owned or controlled by the organization and wherever feasible for all other accounts.

500.14 - Monitoring and training

Implement an endpoint detection and response solution and a solution that centralizes logging and security event alerting.

Administrative Items

New York also included updates aimed to support accountability and transparency in managing cybersecurity risks. Both are important in fostering a culture of responsibility, informed decision-making, and building trust with stakeholders. This results in additional reporting requirements which will require more collaboration between security, legal, and executive leadership teams for both cyber security incidents and compliance attestations. 

Section

Change

500.17 - Notices to Superintendent

Report a cybersecurity incident within 72 hours has been updated to when a cybersecurity event occurs at the organization, its affiliates, or a third-party service provider that:
  • Impacts the organization and requires notification to any government, self-regulatory, or supervisory body
  • Has a reasonable likelihood of materially harming any material part of the operations of the organization.
  • Results in the deployment of ransomware within a material part of the organization's systems. 

500.17 - Notices to Superintendent

Written acknowledgement for any portions of the regulation that the organization does not materially comply with, including documented remediation timelines and plans, signed by both the CISO and the highest-ranking executive (i.e., CEO).

500.17 - Notices to Superintendent

  • Report a notice of extortion payments within 24 hours of the payment being made.
  • Within 30 days, a written description of the reasons that the payment was necessary, a description of alternative measures considered, all diligence performed to find alternatives to payment, and all diligence performed to ensure compliance with other applicable rules and regulations.

Timeline

The amendment includes a transitional period for organizations to comply with the various changes. Below is a compliance timeline to support your journey. 

[TIMELINE] 23 NYCRR 500 - Second Amendment Compliance Timeline

Next steps

The outlined changes represent a portion identified in the amendment. Conducting an internal gap assessment against the amendment is a prudent first step to understand what gaps exist in your current cybersecurity program and where additional support is needed. 

Yes, this is a lot! But Corvus has created a NYDFS toolkit that includes a gap assessment template to guide organizations through their internal assessment process. We have also secured a free consultation with a leading law firm to help your organization (or your clients) start to navigate the changes. If you are a Corvus policyholder or broker partner, email us and request the toolkit or consultation. We encourage all organizations to stay updated on future potential changes to the regulation by signing up on the NYDFS’ website for email updates on the amendment. 

This blog is intended for general guidance and informational purposes only. This blog is under no circumstances intended to be used or considered as specific legal, insurance, or information security advice. This blog is not to be considered an objective or independent explanation of the matters contained herein.

Recent Articles

Cleo File Transfer Alert | December 2024


Cleo customers could be at risk due to a critical security flaw. Here's what you need to know.

November 2024: A Record-Breaking Month for Ransomware Attacks


In November 2024, ransomware activity reached an all-time high, with 632 reported victims listed to leak sites. Learn more in this ransomware update.

Q3 Cyber Threat Report: The Ransomware Ecosystem is Increasingly Distributed


Ransomware attacks remained high in Q3 2024 thanks to the RansomHub, PLAY, and LockBit 3.0 ransomware gangs. Check out the full cyber report for more info.