NYDFS Expands Cybersecurity Regulations: Extortion Payment Reporting, Corporate Governance, and Technical Requirements

Jones Day

A major amendment to the New York State Department of Financial Services' cybersecurity regulations establishes affirmative cybersecurity oversight duties and requires companies to report extortion payments to the agency.

On November 1, the NYDFS adopted the first substantial amendment to its cybersecurity regulations, 23 NYCRR 500, since their issuance in 2017. These regulations apply, with limited exemptions, to businesses authorized to operate under New York's Banking Law, Insurance Law, or Financial Services Law. 

Key changes include: 

  • Extortion Payment Reporting. Covered entities must notify NYDFS within 24 hours of making an extortion payment and then provide a written description within 30 days detailing the payment's necessity, alternatives considered, and all relevant diligence performed. 
  • Corporate Governance Obligations. A covered entity's senior governing body must oversee cybersecurity risk management by having sufficient understanding of cybersecurity-related matters; regularly reviewing management reports about cybersecurity matters; and confirming that management has established a cybersecurity program and allocated sufficient resources to make it effective.
  • CISO's Duties. The Chief Information Security Officer ("CISO") must "timely" report "material" cybersecurity issues, including "significant cybersecurity events and significant changes to the covered entity's cybersecurity program," to the covered entity's senior governing body.
  • Notification ResponsibilitiesReportable cybersecurity incidents now include those occurring at a covered entity's third-party service providers.
  • Technical Safeguards. Covered entities must implement access and risk-based controls.
  • Written Policies and Procedures. Covered entities must implement written incident response and disaster recovery plans. Importantly, covered entities must also adopt IT asset management policies and procedures that include asset risk classification, risk oversight, and reporting across all IT capabilities and services.
  • Compliance Requirements. Covered entities must submit annual certifications to NYDFS attesting to "material" compliance with the regulations. If an entity is noncompliant, then it must identify the noncompliance and provide a remediation timeline.

Covered entities that generated at least $20,000,000 in gross annual revenue from New York over the past two years and had either (1) over 2,000 employees, or (2) over $1,000,000,000 in gross annual revenue during that period, must implement additional technical safeguards and conduct annual independent audits of their cybersecurity programs. 

With some exceptions, covered entities have until April 29, 2024, to comply with the new requirements. Covered entities must comply with the amendment's cybersecurity incident and extortion payment notification requirements by December 1, 2023.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Jones Day

Written by:

Jones Day
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Jones Day on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide