On March 1, 2017, the Department of Financial Services (DFS) enacted 23 NYCRR 500 (Part 500), or “DFS cyber regulations,” with the intent to combat the growing risk of cybersecurity threats.1 The DFS cyber regulations were amended as of November 1, 2023, which include changes to cybersecurity incident reporting, security controls and policy requirements, and oversight of cybersecurity protocol, among other things. Many of these changes are summarized below.
Among other things, the amended regulations:
Various amendments are scheduled to take effect between December 1, 2023 to November 1, 2025.
A covered entity is any company operating under a license, registration, charter, certificate, permit, accreditation or similar authorization under Banking, Insurance, or Financial Services Law. Examples of covered entities include banks, lenders and life insurance companies.2 All covered entities must comply with the cyber regulations unless they are subject to an exemption.
A Class A Company is a covered entity with at least $20 million in gross annual revenue in each of the last two fiscal years from all of its business operations and the business operations of its affiliates located in New York State. In addition, the entity must either have 1) more than 2,000 employees (including those of affiliates, no matter where located), averaged over the last two fiscal years; or 2) over $1 billion in gross annual revenue (including earned by affiliates, no matter where located). An affiliate controls, is controlled by or is under common control with another person or entity and should only be used to determine if a covered entity is classified as a Class A Company if they share information systems, cybersecurity resources or all or part of a cybersecurity program with the covered entity.3
In addition to requirements applicable to covered entities, heightened requirements for Class A Companies include, but are not limited to:
The amendments clarify if a covered entity employs a third party CISO, the covered entity remains responsible for compliance with the cyber regulations, and that CISO is subject to additional oversight requirements. In connection with the CISO’s implementation and enforcement of the cybersecurity program and policy, the CISO now:
The amendments memorialize what some regulators or courts have required in certain cases by requiring that the senior governing body oversee the covered entity’s cybersecurity risk management. This includes understanding cybersecurity-related matters, maintaining cybersecurity programs, regularly reviewing cybersecurity reports and confirming that the entity has allocated sufficient resources to cybersecurity programs.8
Before the amendments, covered entities’ cybersecurity programs required, among other things, monitoring and testing of cybersecurity programs, use of effective controls and periodic risk assessments.9
Now, these requirements have been clarified or heightened. That is, under the current cyber regulations, a covered entity’s cybersecurity program must include, among other things:
Covered entities still have to provide a compliance certification to the superintendent. But, the amendments now require that such certification be based on certain supporting materials, as well as a written acknowledgement of material non-compliance and remediation.12 These statements are due annually by April 15.13
Before the amendments, covered entities had to notify the superintendent if a cybersecurity incident occurred and impacted the covered entity or had a reasonable likelihood of impacting the entity. The notice had to be provided “promptly as possible but in no event later than 72 hours after determin[ation] that [the event had] occurred[.]”14 Although the time to notify the superintendent remains the same, covered entities have to provide notice of cybersecurity incidents that occur at the entity’s affiliates or third-party service providers, in addition to incidents that occur at the covered entity.15
Covered entities are now required to provide notice of “extortion payment[s]” in connection with a cybersecurity incident using a form on the DFS website within 24 hours of the payment or notice of the payment.16 Within 30 days of such payment, a description of alternatives considered must be provided. In addition, the covered entity has to describe the due diligence used to identify alternatives and to comply with the regulations of the Office of Foreign Assets Control, who administers and enforces economic trade sanctions.17
The commission of a single act prohibited by the cyber regulations or the failure to satisfy an obligation required by the cyber regulations may be a violation.18 In assessing the penalty for violations, the superintendent can consider a list of factors, including, but not limited to, an entity’s cooperation in the matter, any history of prior violations, the entity’s good faith and the extent of harm to consumers.19 Any penalty that may be imposed by the superintendent for violating the cyber regulations will be pursuant to New York Banking Law, Insurance Law, or Financial Services Law.20 Penalties under these laws range from $500 to $10,000 per violation.21
The amendments modify the criteria that covered entities must satisfy in order to qualify for a limited or full exemption to the cyber regulations. The amendments allow for more businesses to be exempt from certain requirements of the cyber regulations.
The amendments expand the exemption criteria for small businesses, resulting in additional financial service companies that could be exempt from sections of the cyber regulations. Small businesses are defined as those with 1) fewer than 20 employees and independent contractors of the covered entity and affiliates (previously 10 employees), 2) less than $7,500,000 in gross annual revenue in each of the last three fiscal years from all business operations of the covered entity and business operations of its affiliates within New York State (previously $5,000,000), or 3) less than $15,000,000 in year-end total assets, including assets of all affiliates (previously $10,000,000).22 The requirements that small businesses are exempt from include designating a CISO to report to the senior governing body and establishing written incident response plans, among other things.23
Small businesses must still comply with all other sections of the cyber regulations, including, but not limited to, the implementation of a cybersecurity program, written policies establishing protecting of nonpublic information and risk assessments.
Notably, regardless of size, all businesses that own or license New York residents’ computerized private information, whether or not licensed by DFS, are still separately required under General Business Law 899-bb to “develop, implement and maintain reasonable safeguards” to protect private information.24
Apart from limited exemptions for small businesses, an otherwise covered entity may qualify for a full exemption from the cyber regulations if:
This section exempts entities that are subject to the cyber regulations of a separate DFS-regulated business. While this exemption existed previously, the amendments add wholly-owned subsidiaries to the categories of entities included in this section.
Additionally, the amendments create new exemptions for 1) inactive individual insurance brokers, 2) individual insurance agents who are placed in inactive status under Insurance Law section 2103, and 3) individual licensees placed in inactive status under Banking Law section 599-i.25
If a covered entity qualifies for a full exemption from Part 500, it must submit a Notice of Exemption through the DFS Portal within 30 days of the determination that the covered entity is exempt.26
It is important that financial service companies review their compliance programs and seek assistance from experienced professionals in light of the amendments to the DFS cyber regulations.
Additional Assistance
For further information on DFS cyber regulations and how they affect your organization, please contact a member of the Phillips Lytle Data Privacy and Cybersecurity Team or the Phillips Lytle attorney with whom you have a relationship.
1 N.Y. Comp. Codes R. & Regs. tit. 23, § 500.0 (2023) (eff. Mar. 1, 2017).
2 Dan Pepper & Elyssa Diamond, NYDFS Cybersecurity Requirements Compared to FTC Safeguards Rule, Bloomberg Law, https://www.bloomberglaw.com/external/document/X273RH98000000/data-collection-management-overview-new-york-department-of-finan (last visited Nov. 10, 2023).
3 N.Y. Comp. Codes R. & Regs. tit. 23, § 500.1(a), (d) (2023).
4 Id. §§ 500.2(c), 500.14(b).
5 Id. § 500.4(d).
6 Id. § 500.4(c).
7 Id. § 500.7(c)
8 Id. §§ 500.2(c), 500.14(b).
9 Id. §§ 500.5, 500.7, 500.9.
10 Id. §§ 500.13, 500.14, 500.15, 500.16.
11 Id. § 500.12(a).
12 Id.
13 Id.
14 Id. § 500.17(a)(1).
15 Id.
16 Id. § 500.17(c)(1).
17 U.S. Dep’t of the Treasury, Office of Foreign Assets Control, https://ofac.treasury.gov/ (last visited Nov. 17, 2023).
18 N.Y. Comp. Codes R. & Regs. tit. 23, § 500.20(b) (2023).
19 Id. § 500.20(c).
20 Id.
21 N.Y. Comp. Codes R. & Regs. tit. 3 § 38.8(a) (2023) (eff. Mar. 13, 1987); N.Y. Fin. Serv. Law § 812(a) (Westlaw through L.2023, ch. 1 to 630); N.Y. Ins. Law § 2127 (Westlaw through L.2023, ch. 1 to 630).
22 N.Y. Comp. Codes R. & Regs. tit. 23, § 500.19(a) (2023).
23 Id. § 500.19.
24 N.Y. Gen. Bus. Law § 899-bb(2) (Westlaw through L.2023, ch. 1 to 630) (eff. Mar. 21, 2020).
25 N.Y. Comp. Codes R. & Regs. tit. 23, § 500.19(g).
26 N.Y. Dep’t of Fin. Servs., Cybersecurity Resource Center, https://www.dfs.ny.gov/industry_guidance/cybersecurity (last visited Nov. 21, 2023).
Receive firm communications, legal news and industry alerts delivered to your inbox.
Subscribe Now