Client Alerts  - Data Privacy and Cybersecurity Dec 06, 2023

New Cybersecurity Requirements for Financial Service Companies

New regulations include changes to several cybersecurity procedures.

On March 1, 2017, the Department of Financial Services (DFS) enacted 23 NYCRR 500 (Part 500), or “DFS cyber regulations,” with the intent to combat the growing risk of cybersecurity threats.1 The DFS cyber regulations were amended as of November 1, 2023, which include changes to cybersecurity incident reporting, security controls and policy requirements, and oversight of cybersecurity protocol, among other things. Many of these changes are summarized below.

Among other things, the amended regulations:

  • Impose heightened requirements on “Class A Companies.”
  • Clarify the responsibilities of the Chief Information Security Officer (CISO) and governing body of a covered entity
  • Require specific data protection measures
  • Expand certification and security event notification requirements
  • Modify exemptions
  • Expand the enforcement provision

Various amendments are scheduled to take effect between December 1, 2023 to November 1, 2025.

Class A Company Requirements

A covered entity is any company operating under a license, registration, charter, certificate, permit, accreditation or similar authorization under Banking, Insurance, or Financial Services Law. Examples of covered entities include banks, lenders and life insurance companies.2 All covered entities must comply with the cyber regulations unless they are subject to an exemption.

A Class A Company is a covered entity with at least $20 million in gross annual revenue in each of the last two fiscal years from all of its business operations and the business operations of its affiliates located in New York State. In addition, the entity must either have 1) more than 2,000 employees (including those of affiliates, no matter where located), averaged over the last two fiscal years; or 2) over $1 billion in gross annual revenue (including earned by affiliates, no matter where located). An affiliate controls, is controlled by or is under common control with another person or entity and should only be used to determine if a covered entity is classified as a Class A Company if they share information systems, cybersecurity resources or all or part of a cybersecurity program with the covered entity.3

In addition to requirements applicable to covered entities, heightened requirements for Class A Companies include, but are not limited to:

  • Designing and conducting independent audits of its cybersecurity program based on risk assessment
  • Monitoring privileged access activity and implementing a privileged access management solution
  • If feasible, automatically blocking commonly used passwords for information system accounts
  • With limited exception, implementing an endpoint detection and response solution and a solution that centralizes security event alerting4

Responsibilities and Oversight of the Chief Information Security Officer

The amendments clarify if a covered entity employs a third party CISO, the covered entity remains responsible for compliance with the cyber regulations, and that CISO is subject to additional oversight requirements. In connection with the CISO’s implementation and enforcement of the cybersecurity program and policy, the CISO now:

  • Not only has to report at least annually on the entity’s cybersecurity program, but should also timely report “material cybersecurity issues”5 to the “senior governing body,” such as the board of directors6
  • Manage privileged accounts
  • If blocking is not employed at a Class A Company, approve in writing the infeasibility of automatically blocking commonly used passwords from use on internet systems and also approve the use of reasonably equivalent or more secure compensating controls7
  • Approve in writing the use of reasonably equivalent or more secure compensating controls if a Class A Company does not implement an endpoint detection and response solution or centralized logging and security event alerting

Responsibilities of the Senior Governing Body

The amendments memorialize what some regulators or courts have required in certain cases by requiring that the senior governing body oversee the covered entity’s cybersecurity risk management. This includes understanding cybersecurity-related matters, maintaining cybersecurity programs, regularly reviewing cybersecurity reports and confirming that the entity has allocated sufficient resources to cybersecurity programs.8

Specific Data Protection Measures

Before the amendments, covered entities’ cybersecurity programs required, among other things, monitoring and testing of cybersecurity programs, use of effective controls and periodic risk assessments.9

Now, these requirements have been clarified or heightened. That is, under the current cyber regulations, a covered entity’s cybersecurity program must include, among other things:

  • Documented asset inventory of the entity’s information systems
  • Written incident response plans to respond and recover from cybersecurity incidents
  • Written business continuity disaster recovery (BCDR) plans designed to maintain the availability and functionality of information systems in the event of a cybersecurity incident
  • Risk-based controls designed to protect against malicious code
  • Annual cybersecurity awareness training
  • A written policy requiring encryption to protect nonpublic information10
  • Multi-factor authentication for remote access and all privileged accounts11

DFS Notification Requirements

Annual Certification

Covered entities still have to provide a compliance certification to the superintendent. But, the amendments now require that such certification be based on certain supporting materials, as well as a written acknowledgement of material non-compliance and remediation.12 These statements are due annually by April 15.13

Security Event Notification

Before the amendments, covered entities had to notify the superintendent if a cybersecurity incident occurred and impacted the covered entity or had a reasonable likelihood of impacting the entity. The notice had to be provided “promptly as possible but in no event later than 72 hours after determin[ation] that [the event had] occurred[.]”14 Although the time to notify the superintendent remains the same, covered entities have to provide notice of cybersecurity incidents that occur at the entity’s affiliates or third-party service providers, in addition to incidents that occur at the covered entity.15

Covered entities are now required to provide notice of “extortion payment[s]” in connection with a cybersecurity incident using a form on the DFS website within 24 hours of the payment or notice of the payment.16 Within 30 days of such payment, a description of alternatives considered must be provided. In addition, the covered entity has to describe the due diligence used to identify alternatives and to comply with the regulations of the Office of Foreign Assets Control, who administers and enforces economic trade sanctions.17

Expanded Enforcement Provisions

The commission of a single act prohibited by the cyber regulations or the failure to satisfy an obligation required by the cyber regulations may be a violation.18 In assessing the penalty for violations, the superintendent can consider a list of factors, including, but not limited to, an entity’s cooperation in the matter, any history of prior violations, the entity’s good faith and the extent of harm to consumers.19 Any penalty that may be imposed by the superintendent for violating the cyber regulations will be pursuant to New York Banking Law, Insurance Law, or Financial Services Law.20 Penalties under these laws range from $500 to $10,000 per violation.21

Modified Exemptions

The amendments modify the criteria that covered entities must satisfy in order to qualify for a limited or full exemption to the cyber regulations. The amendments allow for more businesses to be exempt from certain requirements of the cyber regulations.

Small Business Exemption

The amendments expand the exemption criteria for small businesses, resulting in additional financial service companies that could be exempt from sections of the cyber regulations. Small businesses are defined as those with 1) fewer than 20 employees and independent contractors of the covered entity and affiliates (previously 10 employees), 2) less than $7,500,000 in gross annual revenue in each of the last three fiscal years from all business operations of the covered entity and business operations of its affiliates within New York State (previously $5,000,000), or 3) less than $15,000,000 in year-end total assets, including assets of all affiliates (previously $10,000,000).22 The requirements that small businesses are exempt from include designating a CISO to report to the senior governing body and establishing written incident response plans, among other things.23

Small businesses must still comply with all other sections of the cyber regulations, including, but not limited to, the implementation of a cybersecurity program, written policies establishing protecting of nonpublic information and risk assessments.

Notably, regardless of size, all businesses that own or license New York residents’ computerized private information, whether or not licensed by DFS, are still separately required under General Business Law 899-bb to “develop, implement and maintain reasonable safeguards” to protect private information.24

Full Exemptions

Apart from limited exemptions for small businesses, an otherwise covered entity may qualify for a full exemption from the cyber regulations if:

  • The covered entity is an employee, agent, wholly owned subsidiary, representative or designee of another DFS-regulated business
  • The other business’s cybersecurity program fully covers the covered entity

This section exempts entities that are subject to the cyber regulations of a separate DFS-regulated business. While this exemption existed previously, the amendments add wholly-owned subsidiaries to the categories of entities included in this section.

Additionally, the amendments create new exemptions for 1) inactive individual insurance brokers, 2) individual insurance agents who are placed in inactive status under Insurance Law section 2103, and 3) individual licensees placed in inactive status under Banking Law section 599-i.25

If a covered entity qualifies for a full exemption from Part 500, it must submit a Notice of Exemption through the DFS Portal within 30 days of the determination that the covered entity is exempt.26

It is important that financial service companies review their compliance programs and seek assistance from experienced professionals in light of the amendments to the DFS cyber regulations.

Additional Assistance

For further information on DFS cyber regulations and how they affect your organization, please contact a member of the Phillips Lytle Data Privacy and Cybersecurity Team or the Phillips Lytle attorney with whom you have a relationship.


1   N.Y. Comp. Codes R. & Regs. tit. 23, § 500.0 (2023) (eff. Mar. 1, 2017).

2   Dan Pepper & Elyssa Diamond, NYDFS Cybersecurity Requirements Compared to FTC Safeguards Rule, Bloomberg Law, https://www.bloomberglaw.com/external/document/X273RH98000000/data-collection-management-overview-new-york-department-of-finan (last visited Nov. 10, 2023).

3   N.Y. Comp. Codes R. & Regs. tit. 23, § 500.1(a), (d) (2023).

4   Id. §§ 500.2(c), 500.14(b).

5   Id. § 500.4(d).

6   Id. § 500.4(c).

7   Id. § 500.7(c)

8   Id. §§ 500.2(c), 500.14(b).

9   Id. §§ 500.5, 500.7, 500.9.

10   Id. §§ 500.13, 500.14, 500.15, 500.16.

11   Id. § 500.12(a).

12   Id.

13   Id.

14   Id. § 500.17(a)(1).

15   Id.

16   Id. § 500.17(c)(1).

17   U.S. Dep’t of the Treasury, Office of Foreign Assets Control, https://ofac.treasury.gov/ (last visited Nov. 17, 2023).

18   N.Y. Comp. Codes R. & Regs. tit. 23, § 500.20(b) (2023).

19   Id. § 500.20(c).

20   Id.

21   N.Y. Comp. Codes R. & Regs. tit. 3 § 38.8(a) (2023) (eff. Mar. 13, 1987); N.Y. Fin. Serv. Law § 812(a) (Westlaw through L.2023, ch. 1 to 630); N.Y. Ins. Law § 2127 (Westlaw through L.2023, ch. 1 to 630).

22   N.Y. Comp. Codes R. & Regs. tit. 23, § 500.19(a) (2023).

23   Id. § 500.19.

24   N.Y. Gen. Bus. Law § 899-bb(2) (Westlaw through L.2023, ch. 1 to 630) (eff. Mar. 21, 2020).

25   N.Y. Comp. Codes R. & Regs. tit. 23, § 500.19(g).

26   N.Y. Dep’t of Fin. Servs., Cybersecurity Resource Center, https://www.dfs.ny.gov/industry_guidance/cybersecurity (last visited Nov. 21, 2023).

Related Insights

View All