The New York Department of Financial Services (NYDFS) adopted a long-expected amendment to its Part 500 Cybersecurity Regulations (Part 500) this week. These are the first significant changes to Part 500 since its inception in March 2017.
The draft amendment was first published for public comment on July 29, 2022, and was followed by two additional drafts (published on November 9, 2022 and June 28, 2023) reflecting responses to public comment and other changes. The finalized amendment, adopted on November 1, 2023, will go into effect immediately upon publication in the New York State Register; however, there are some transitional periods for when covered entities will need to demonstrate compliance with these provisions.
One of the major changes entails creating a new class of entities known as “Class A Companies” that will be subject to heightened requirements. Class A Companies are NYDFS-regulated businesses that either (a) have over 2,000 employees, or (b) have over $1 billion in gross annual revenue, in each case including the company’s affiliates. The heightened requirements for Class A Companies include:
- Conducting an annual independent audit of their cybersecurity programs. These can be done by external or internal auditors.
- Implementing a privileged access management solution as well as methods for automatically blocking passwords that are commonly used.
- Implementing endpoint detection tools and other solutions to monitor and log potentially unauthorized activity.
There are also some significant updates in the area of governance and Chief Information Security Officer (“CISO”) responsibilities that are applicable to all covered entities. In addition to an annual report, CISOs are now required to report to their senior governing body (e.g., board) or other senior executive on material cybersecurity issues including “significant cybersecurity events and significant changes to the covered entity’s cybersecurity program.”
The Part 500 update also includes requirements and guidance for how a senior governing body should “exercise oversight” of a covered entity’s cybersecurity program. In particular, it requires the senior governing body to have a “sufficient understanding of cybersecurity-related matters,” receive regulatory updates on the cybersecurity program, and also provide sufficient resources for managing the program.
An overview of some other significant changes are listed in the table below:
Effective Dates
Covered entities will need to demonstrate compliance within 180 days of the Part 500 update being published in the State Register, with the exception of the requirements listed in the table below:
Next Steps
Covered entities should begin to determine how the Part 500 updates may affect existing licenses or applications currently under review. In particular, covered entities should:
- Determine whether they fall under the definition of a “Class A Company.”
- Update documentation to account for new policy and procedure requirements.
- Examine their cybersecurity governance structure to ensure that their CISOs and senior governing bodies have the capabilities and resources to manage the cybersecurity program and report on material issues as needed.