Jump to...
On November 1, 2023, the New York State Department of Financial Services (“NYDFS”) issued its Second Amendment (the “Amendment”) to its Cybersecurity Requirements for Financial Services Companies adopted in 2017, codified in Section 500 of 23 NYCRR 500[1] (the “Cybersecurity Requirements;” the Cybersecurity Requirements as amended by the Amendment, the “Amended Cybersecurity Requirements”). The Amendment imposes significant updates to NYDFS’s Cybersecurity Requirements in a statewide effort to bolster safeguards for businesses and consumers by requiring the financial services industry to institute stronger standards and controls to secure sensitive data in order to address the evolving and increasing risks of cyberattacks on holders of sensitive data. Most notably, the Amendment consists of an expansion of obligations on entities regulated by NYDFS to report cybersecurity incidents and enhance their consumer data protection and cybersecurity infrastructure.[2]
Regulated entities are generally required to comply with the new requirements imposed by the Amendment by April 29, 2024,[3] although certain provisions allow a longer time frame for compliance.[4] However, the new requirements regarding reporting certain cybersecurity incidents become effective on December 1, 2023.[5]
Below is a description of some of the important changes introduced by the Amendment.
The Amendment represents a significant overhaul of the cybersecurity regulatory landscape that carries implications for NYDFS-regulated financial institutions, particularly in light of the NYDFS’s clarified authority to bring enforcement actions for even a single violation of the Amended Cybersecurity Requirements. Covered Entities should assess their cybersecurity infrastructure to ensure compliance with the updated regulations by April 29, 2024 (or in the case of certain reporting obligations, by December 1, 2023). Among other things, Covered Entities should consider whether to increase their investments and corporate budget to design and implement cybersecurity programs that allow for compliance with the new requirements imposed by the Amendment, and enforce and monitor such compliance not only within the Covered Entity, but also among the Covered Entity’s vendors who store or process data on their behalf or who otherwise have access to the Covered Entity’s data or networks. It is critical for financial institutions to review the impacts of the Amendment on their respective institutions as soon as possible in order to take proactive measures to ensure compliance with the Amended Cybersecurity Requirements.
[1] See NYDFS, Second Amendment to 23 NYCRR 500, available at https://dfs.ny.gov/system/files/documents/2023/10/rf_fs_2amend23NYCRR500_text_20231101.pdf.
[2] Cybersecurity disclosures and controls have also become an increased focus of the U.S. Securities and Exchange Commission (“SEC”). On July 26, 2023, the SEC adopted final rules requiring registrants to disclose material cybersecurity incidents and, on an annual basis, material information regarding their cybersecurity risk management, strategy, and governance. See SEC, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, available at https://www.sec.gov/corpfin/secg-cybersecurity; see also Shearman & Sterling LLP, SEC Mandates New Cybersecurity Disclosures, available at https://www.shearman.com/en/perspectives/2023/08/sec-mandates-new-cybersecurity-disclosures. Among the SEC’s 2024 exam priorities include the adequacy of registrants’ policies and procedures, internal controls, oversight of third-party vendors, governance practices, and responses to cyber-related incidents, including those related to ransomware attacks. See SEC, 2024 Examination Priorities, available at https://www.sec.gov/files/2024-exam-priorities.pdf.
[3] The new compliance requirements imposed by the Amendment are effective 180 days from the date of its adoption (i.e., April 29, 2024). See NYDFS, Cybersecurity Resource Center, available at https://dfs.ny.gov/industry_guidance/cybersecurity.
[4] See NYDFS, Cybersecurity Resource Center, available at https://dfs.ny.gov/industry_guidance/cybersecurity.
[5] Ibid.
[6] A “Covered Entity” is defined under Section 500.1(e) of the Amended Cybersecurity Requirements as “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law, regardless of whether the covered entity is also regulated by other government agencies.”
[7] See Amended Cybersecurity Requirements, Section 500.1(d).
[8] See Amended Cybersecurity Requirements, Section 500.2(c).
[9] See Amended Cybersecurity Requirements, Section 500.7(c).
[10] See Amended Cybersecurity Requirements, Section 500.14(b).
[11] See Amended Cybersecurity Requirements, Section 500.1(q).
[12] See Amended Cybersecurity Requirements, Section 500.4(d).
[13] See Amended Cybersecurity Requirements, Section 500.2(d).
[14] See Amended Cybersecurity Requirements, Section 500.17(b)(2).
[15] See Amended Cybersecurity Requirements, Section 500.5(a)(1).
[16] See Amended Cybersecurity Requirements, Section 500.5(a)(1).
[17] See Amended Cybersecurity Requirements, Section 500.5(b)-(c).
[18] See Amended Cybersecurity Requirements, Section 500.7(a).
[19] See Amended Cybersecurity Requirements, Section 500.7(b).
[20] See Amended Cybersecurity Requirements, Section 500.12.
[21] See Amended Cybersecurity Requirements, Section 500.13(a).
[22] See Amended Cybersecurity Requirements, Section 500.16(a)(1).
[23] See Amended Cybersecurity Requirements, Section 500.16(a)(2).
[24] See Amended Cybersecurity Requirements, Section 500.16(c)-(d).
[25] See Amended Cybersecurity Requirements, Section 500.17(a).
[26] See Amended Cybersecurity Requirements, Section 500.17(c).
[27] See Amended Cybersecurity Requirements, Section 500.20(b).
[28] See Amended Cybersecurity Requirements, Section 500.20(b)(1).
[29] See NYDFS, Assessment of Public Comments on the Revised Proposed Second Amendment to 23 NYCRR Part 500 (“Assessment of Public Comments”), page 37, available at https://www.dfs.ny.gov/system/files/documents/2023/10/rf_fs_2amend23NYCRR500_apc_20231101.pdf.
[30] See Amended Cybersecurity Requirements, Section 500.20(b)(2).
[31] See Assessment of Public Comments, page 38.
[32] See Amended Cybersecurity Requirements, Section 500.20(c).
Industries
Regional Experience