Reminder: More New York Department of Financial Services (NYDFS) Requirements Go Into Effect Next Month

As we have previously written, late last year the New York Department of Financial Services (NYDFS) adopted long-awaited amendments to its Part 500 Cybersecurity Regulations (Part 500). These are some of the most significant changes to Part 500 since March 2017.

While some of those amendments went into effect immediately, others were pushed out on an extended timeline for implementation. The next round of amendments, including those related to cybersecurity governance, incident response and management, and encryption will go into effect for all covered entities, except those that qualify for an exemption, on November 1^st.

Starting November 1^st, covered entities[1], including Class A companies[2], are required to implement the following practices:

1. Cybersecurity Governance: Chief Information Security Officers (CISOs) must report to senior governing bodies/senior officials on material cybersecurity issues (such as cybersecurity events or changes to the program) and plans for remediating material inadequacies in written reports. The senior governing bodies/senior officials must exercise oversight of cybersecurity risk management. (See Section 500.4)
2. Incident Response and Business Continuity Management: Incident Response (IR) plans must be updated as specified and tested at least annually. Business Continuity and Disaster Response (BCDR) plans that are reasonably designed to address a cybersecurity-related disruption as specified must also be in place. Training must be provided to all employees with responsibilities under BCDR and the plans must be tested and updated as necessary. The tests should focus on the covered entity’s ability to restore critical data and information systems from backups and maintain and adequately protect backups necessary to restore material operations. (See Section 500.4)
3. Encryption of Nonpublic Information (NPI): Covered entities must implement a written policy requiring encryption that meets industry standards and may no longer use effective alternative compensating controls for encryption of NPI in transit over external networks. Note, covered entities may use effective compensating controls for encryption of NPI at rest provided that the compensating controls are reviewed and approved in writing by the CISO at least annually. (See Section 500.15)

Requirements for Small Businesses

Starting November 1^st, small businesses that qualify for partial exemptions under the amendments must also implement multi-factor authentication (Section 500.12(a)) and cybersecurity training (Section 500.14(a)(3)). More specifically, multi-factor authentication (MFA) must be implemented for remote access to information and third-party applications where NPI is accessible (including cloud applications), and to privileged accounts. Cybersecurity training must be provided to all personnel and should include details regarding social engineering.

Next Steps

Covered entities, Class A companies and small businesses still have a few weeks to examine and update their cybersecurity policies and practices or implement new ones to ensure they are fully onboard by the November 1^st deadline. As applicable, covered entities, Class A companies and small businesses should:

• Review cybersecurity governance structure and standard practices for reporting to governing bodies.
• Update and test incident response and business continuity plans.
• Implement written encryption policies.
• Implement multi-factor authentication.
• Implement cybersecurity training with a focus on social engineering attacks.

NYDFS helpfully provides additional guidance at their Cybersecurity Resource Center and has also updated their list of Frequently Asked Questions in light of the upcoming deadline.